Playwright Browser Automation
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The skill is designed to execute arbitrary code provided by the agent. In run.js, the main() function takes input from the agent, writes it to a local file, and executes it using the Node.js require() function. This allows for unrestricted access to the host system's resources, including the file system and network.
- [PROMPT_INJECTION] (HIGH): This skill is vulnerable to indirect prompt injection. Because it is a browser automation tool, it will process content from external websites. If a website contains malicious instructions, the agent may be coerced into executing harmful code through the run.js script. Evidence: The ingestion points (process.argv and stdin) in run.js lack any sanitization, boundary markers, or security constraints. Capability inventory includes full Node.js execution via require().
- [COMMAND_EXECUTION] (MEDIUM): The installPlaywright() function automatically executes system commands (npm install and npx playwright install) using execSync. While intended for setup, this provides an additional vector for system interaction that occurs outside of controlled automation blocks.
Recommendations
- AI detected serious security threats
Audit Metadata