browsing-with-playwright
Fail
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The script
scripts/start-server.shexecutesnpx @playwright/mcp@latest. This downloads and runs a package from the public npm registry at runtime without version pinning, which is vulnerable to supply chain attacks. - [REMOTE_CODE_EXECUTION] (HIGH): The use of
npxto fetch and immediately execute@latestcode constitutes unverified remote code execution. - [DYNAMIC_EXECUTION] (MEDIUM): The skill exposes
browser_run_codeandbrowser_evaluatetools inSKILL.md. These allow the execution of arbitrary JavaScript within the browser context, which is a powerful and potentially dangerous capability if exploited. - [INDIRECT_PROMPT_INJECTION] (LOW):
- Ingestion points: Web content ingested via
browser_snapshotinSKILL.md. - Boundary markers: None. There are no instructions to the agent to ignore instructions embedded in the web pages it browses.
- Capability inventory: Arbitrary JS execution (
browser_run_code), form filling (browser_fill_form), and navigation (browser_navigate) as seen inSKILL.md. - Sanitization: None. The skill does not appear to sanitize or filter content retrieved from the web before the agent processes it.
- [COMMAND_EXECUTION] (LOW): The skill relies on shell scripts (
scripts/start-server.sh,scripts/stop-server.sh) to manage background processes and usespgrepandpkillto manage the lifecycle of the MCP server.
Recommendations
- AI detected serious security threats
Audit Metadata