playwright
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill enables an agent to navigate to arbitrary URLs and ingest DOM snapshots, creating a primary attack vector for instructions embedded in web pages to influence or hijack agent behavior. * Ingestion points: Browser navigation and DOM snapshots through the script in scripts/playwright_cli.sh. * Boundary markers: Absent; no instructions are provided to distinguish between agent commands and webpage content. * Capability inventory: Full browser interaction including clicking, typing, and executing arbitrary JavaScript. * Sanitization: Absent; content retrieved from the browser is not sanitized before processing.
- [Remote Code Execution] (LOW): The skill uses npx to download and execute the Playwright CLI tool at runtime. * Evidence: npx --package @playwright/cli in scripts/playwright_cli.sh. * Trust Status: Downgraded to LOW per [TRUST-SCOPE-RULE] as the package belongs to a trusted organization (Microsoft).
- [Command Execution] (HIGH): Explicit support for running arbitrary JavaScript within the browser context allows for potential data exfiltration or session manipulation if the agent is influenced by malicious content. * Evidence: Use of pwcli eval and pwcli run-code documented in references/cli.md.
Recommendations
- AI detected serious security threats
Audit Metadata