playwright-cli
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- REMOTE_CODE_EXECUTION (MEDIUM): The skill provides a
run-code <code>command which allows the agent to execute arbitrary JavaScript snippets within the browser context. While intended for automation, this can be abused to perform Cross-Site Scripting (XSS) or exfiltrate sensitive session data if the agent is manipulated. - EXTERNAL_DOWNLOADS (LOW): The skill installs the
@playwright/mcppackage globally from npm. Although the@playwrightnamespace is generally associated with Microsoft (a trusted organization), installing external binaries is a security-sensitive operation. Per [TRUST-SCOPE-RULE], this is downgraded but remains a point of interest. - PROMPT_INJECTION (LOW): The skill is highly susceptible to Indirect Prompt Injection (Category 8).
- Ingestion points:
playwright-cli open,playwright-cli snapshot, andplaywright-cli consoleingest data from external, untrusted websites. - Boundary markers: Absent. There are no instructions or delimiters to help the agent distinguish between its own commands and data retrieved from a web page.
- Capability inventory: The skill possesses dangerous capabilities including
run-code(script execution),screenshot/pdf(data extraction), and full network access via the browser. - Sanitization: Absent. Content from snapshots or console logs is processed directly by the agent without filtering.
- COMMAND_EXECUTION (LOW): The skill executes various system commands through the
playwright-clibinary, which interacts directly with the host's operating system to manage browser instances.
Audit Metadata