playwright
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill's core workflow requires the agent to visit external URLs, take snapshots of DOM structures, and use that information to create test code and documentation. This is a classic injection surface where a malicious website could include hidden instructions to compromise the host system via the agent's file-writing or command-execution capabilities.
- Ingestion points: MCP Navigation and Snapshot tools,
WebFetch, andWebSearch(listed inallowed-tools). - Boundary markers: None. The instructions do not tell the agent to ignore instructions found within the processed HTML or snapshots.
- Capability inventory:
Write,Edit,Bash, andTasktools, which allow for persistent modification of the codebase and arbitrary shell execution. - Sanitization: None. The agent is encouraged to use "actual selectors from snapshots" directly in code generation.
- [Command Execution] (MEDIUM): The skill grants the agent broad access to the shell via
BashandTasktools. While intended for running Playwright tests and generating code, these tools provide an execution engine for any malicious commands injected via the browsing workflow.
Recommendations
- AI detected serious security threats
Audit Metadata