playwright-skill
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- [Dynamic Execution] (HIGH): The skill accepts arbitrary strings from command-line arguments or standard input, writes them to a temporary file, and executes them using the Node.js
require()function. This provides a direct path for arbitrary code execution. - Evidence:
run.jslines 58-81 (input collection), lines 180-184 (file write andrequireexecution). - Mitigation: The severity is lowered to MEDIUM as this is the primary purpose of an automation executor, but users should ensure the agent only passes trusted code to this skill.
- [Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The skill uses
execSyncto automatically runnpm installandnpx playwright installif the dependencies are missing. While common for setup, executing shell commands based on runtime checks is a security risk. - Evidence:
run.jslines 41-45. - [Indirect Prompt Injection] (LOW): This skill creates a significant attack surface for indirect prompt injection. A malicious website being automated could provide data that tricks the LLM into generating and executing malicious scripts via this skill.
- Ingestion points:
run.js(viagetCodeToExecutewhich receives instructions from the agent). - Boundary markers: None present; the code is wrapped in a template but not sanitized.
- Capability inventory: Full filesystem and network access via the Node.js environment and Playwright API.
- Sanitization: None; the skill executes the provided string as raw code.
Audit Metadata