playwright-cli
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- REMOTE_CODE_EXECUTION (MEDIUM): The
run-codeandevalcommands allow for the execution of arbitrary JavaScript and Playwright code within the browser context. This is a powerful feature for automation but poses a risk of remote code execution if the parameters are derived from untrusted sources. - DATA_EXFILTRATION (LOW): The skill provides explicit commands to access sensitive browser data, such as
cookie-list,localstorage-list, andstate-save auth.json. While necessary for session management and testing, these capabilities could be used to extract authentication tokens. - EXTERNAL_DOWNLOADS (LOW): The documentation suggests the use of
npx playwright-cli, which involves downloading and executing a package from the npm registry at runtime. - Indirect Prompt Injection (LOW): This skill is highly susceptible to indirect prompt injection because it ingests untrusted data from the web.
- Ingestion points: Data enters the agent context through
playwright-cli goto,snapshot, andevalcommands which read page content and metadata. - Boundary markers: The snapshot provides some structure (YAML), but there are no explicit instructions to ignore embedded commands in the processed web content.
- Capability inventory: The skill has extensive capabilities including shell command execution (via Bash), file writing (
screenshot,pdf,state-save), and cookie access. - Sanitization: There is no evidence of sanitization for the data retrieved from web pages before it is presented to the LLM.
Audit Metadata