Skills
skills/slamb2k/mad-skills/play-tight/Gen Agent Trust Hub

play-tight

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [Indirect Prompt Injection] (HIGH): The 'Browser Investigator' subagent is designed to navigate to arbitrary URLs and extract text or data. This creates a significant attack surface where malicious content on a webpage could override agent instructions.
  • Ingestion Points: scripts/get-text.js, scripts/check-element.js, and scripts/navigate-and-extract.js all ingest content from external URLs.
  • Boundary Markers: None. The scripts return raw or truncated text without delimiters or 'ignore instructions' warnings.
  • Capability Inventory: The agent can execute shell commands (npm install), write files (take-screenshot.js), and navigate to any network or local resource via Playwright.
  • Sanitization: The scripts only perform basic length truncation and whitespace cleaning; there is no sanitization of the content itself.
  • [Data Exposure & Exfiltration] (HIGH): The browser scripts do not validate the protocol of the provided URL, permitting access to the file:// protocol. This can be exploited to read sensitive local files.
  • Evidence: The page.goto(url) call in all scripts (e.g., scripts/check-element.js) accepts any string. An attacker could provide a path like file:///etc/passwd to render sensitive files in the browser and then use get-text.js to extract the contents.
  • [Command Execution] (MEDIUM): The agent instructions require the execution of arbitrary shell commands for environment setup and dependency management.
  • Evidence: agents/browser-investigator-subagent.md directs the agent to run npm install and npm run install-browsers if checks fail. While intended for setup, these commands grant the agent broad execution privileges over the local system.
  • [External Downloads] (LOW): The skill downloads the playwright package and browser binaries at runtime.
  • Evidence: scripts/package.json lists playwright as a dependency. The setup instructions in the agent markdown trigger external downloads from Microsoft's Playwright registry. This is downgraded to LOW as Playwright is a trusted source per [TRUST-SCOPE-RULE].
  • [Dynamic Execution] (MEDIUM): The agent is instructed to use node -e for runtime checks of the environment.
  • Evidence: agents/browser-investigator-subagent.md includes a snippet: node -e "const { chromium } = require('playwright'); chromium.executablePath()" to check for browser availability.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 06:05 PM