Navigator
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it retrieves and processes content from external, untrusted websites.
- Ingestion points: Web content is ingested through tools like
playwright_navigateandpage.evaluate()as described in SKILL.md and references/data-extraction.md. - Boundary markers: While the skill documentation defines clear operational boundaries, the code templates do not implement specific delimiters or 'ignore' instructions for data extracted from pages.
- Capability inventory: The skill possesses significant capabilities, including form filling, button clicking, and executing JavaScript in the browser context, which could be abused if an attacker can influence the agent via page content.
- Sanitization: The provided extraction logic does not show evidence of sanitizing or validating the content of extracted strings before they are returned or potentially used in subsequent prompts.
- [COMMAND_EXECUTION]: The skill uses Playwright and the Chrome DevTools Protocol (CDP) to automate browser actions and execute JavaScript within the page context.
- Evidence: Templates in references/playwright-cdp.md and references/data-extraction.md utilize
page.evaluate()to run code on target websites. While this is the intended purpose of the skill, it creates a surface area for code-based attacks originating from malicious web pages.
Audit Metadata