playwright

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill's examples and recommended "fill" commands show plaintext credentials (e.g., "password123") and instruct embedding values directly into CLI commands, which encourages including user secrets verbatim in generated output and creates an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md and references (e.g., Quick start and Core workflow) explicitly instruct the CLI to open arbitrary web pages ("$PWCLI open "), snapshot and eval page content (references/workflows.md shows eval "document.title" and text extraction), so the agent will fetch and interpret public third‑party webpages whose content can materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The wrapper script runs npx --package @playwright/mcp which will fetch and execute the @playwright/mcp package from the npm registry at runtime (e.g. https://registry.npmjs.org/@playwright%2Fmcp), so the skill requires and executes remote code fetched during runtime.