playwright-mcp
Pass
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (LOW): The skill configures an MCP server using
npx -y @playwright/mcp. This command automatically downloads and executes the package from the npm registry. While this is a remote execution pattern, the@playwrightscope is maintained by Microsoft, which is a trusted organization, justifying a LOW severity level. - INDIRECT_PROMPT_INJECTION (LOW): The skill is designed to ingest and process data from external websites, creating a vulnerability to indirect prompt injection.
- Ingestion points:
browser_snapshot(reads accessibility tree),browser_console_messages(reads JS logs), andbrowser_wait_for(reads page text). - Boundary markers: Absent. There are no instructions for the agent to ignore or delimit content found on the pages.
- Capability inventory: The skill can perform active web interactions including
browser_navigate,browser_click, andbrowser_fill_form. - Sanitization: Absent. Data from the browser is passed directly to the agent context without filtering.
Audit Metadata