playwright
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8) due to its core operational design.
- Ingestion points: The 'MCP Workflow' in
SKILL.mdmandates that the agent navigate to external target pages and take snapshots/screenshots to document DOM structures and selectors. - Boundary markers: No delimiters or safety instructions are provided to help the agent distinguish between legitimate UI elements and malicious instructions embedded in the target page's HTML (e.g., hidden text or comments).
- Capability inventory: The skill allows the use of
Write,Edit, andBashtools, giving the agent the power to modify the local codebase and execute shell commands based on what it 'sees' on the webpage. - Sanitization: There is a total absence of sanitization or validation for content extracted from the web before it is interpolated into prompts or used to generate executable test scripts.
- [COMMAND_EXECUTION] (MEDIUM): The skill explicitly provides shell commands for running tests (
npx playwright test). While standard for this use case, the presence of these tools alongside the ingestion of untrusted external data allows for potential command injection or the execution of malicious test scripts generated via the injection vector described above. - [EXTERNAL_DOWNLOADS] (LOW): The skill relies on
npx, which dynamically downloads the Playwright runner and browser binaries if they are not already cached. While Microsoft (the owner of Playwright) is generally a trusted organization, this remains a runtime dependency on external code.
Recommendations
- AI detected serious security threats
Audit Metadata