playwright-skill

This module is not visibly obfuscated and does not contain explicit malware logic in the shown code. However, it is a high-risk arbitrary JavaScript execution harness: it accepts externally provided code (file/stdin/inline) and executes it via require() from a generated temp module, with Node-level privileges. It also auto-runs npm install and Playwright browser installation when missing, increasing supply-chain/network exposure. Additionally, it injects environment-derived extraHTTPHeaders into Playwright usage when user code does not include its own require(), which could contribute to sensitive data leakage depending on helper behavior and the executed script.