playwright-skill

This script is a legitimate-but-powerful CLI runner for Playwright automation that intentionally executes arbitrary code supplied by the user. The file itself does not contain obfuscated or covert malicious payloads, but it enables dangerous operations: full rights code execution via writing and requiring temporary files, automatic execution of npm/npx install commands (supply-chain risk), and possible forwarding of environment-derived values into HTTP headers (risk of secret leakage). Treat any use of this tool as untrusted if input or the environment is not controlled. Recommend not running with untrusted scripts, avoid running the auto-install in sensitive environments, and inspect ./lib/helpers for what it reads from env before use.

SUSPICIOUS: The stated purpose matches browser automation, and the Playwright dependency is broadly consistent with that purpose. However, trust is reduced because the skill's effective behavior depends on undisclosed local code and an opaque setup script that may install binaries and execute arbitrary scripts. No clear credential theft or exfiltration is shown, but execution and supply-chain scope are broader than can be verified from the provided skill text alone.