Playwright Browser Automation
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (CRITICAL): The 'run.js' script implements a 'Universal Executor' pattern. It captures input from 'stdin' or command-line arguments, writes this input to a temporary '.js' file on disk, and then executes it using 'require()'. This allows for the execution of any arbitrary Node.js code on the host machine.\n- [INDIRECT_PROMPT_INJECTION] (CRITICAL): This skill is highly vulnerable to indirect prompt injection because its primary purpose is to execute code generated by an agent. If the agent is instructed to browse a malicious website, that website can provide JavaScript instructions which the agent then passes to this skill for execution.\n
- Ingestion points: 'run.js' reads raw input via 'process.argv' and 'process.stdin'.\n
- Boundary markers: None. The script does not attempt to delimit or verify the source of the code.\n
- Capability inventory: By executing arbitrary JS, the skill has full access to the filesystem ('fs'), subprocess execution ('child_process'), and network networking APIs.\n
- Sanitization: No sanitization or sandboxing is performed; the raw input is wrapped in a simple async template and executed with full user privileges.\n- [COMMAND_EXECUTION] (HIGH): The 'installPlaywright' function calls 'execSync' to run 'npm install' and 'npx playwright install'. This allows the skill to download and install arbitrary binaries and Node packages at runtime, which could be exploited to download malicious payloads.
Recommendations
- AI detected serious security threats
Audit Metadata