playwright
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill processes untrusted external content by navigating to and snapshotting web pages, creating a primary attack surface for indirect prompt injection.\n
- Ingestion points: Web page content (HTML, text, and metadata) enters the agent context via the
snapshotcommand inSKILL.md.\n - Boundary markers: Absent. Content from external websites is ingested without delimitation or instructions to ignore embedded commands.\n
- Capability inventory: Full browser control (clicking, typing, form submission), network access, and the ability to write to the local file system (
output/playwright/).\n - Sanitization: Absent. No sanitization or filtering of external content is performed before the agent uses it to make interaction decisions.\n- [Remote Code Execution] (LOW): The skill installs and executes the
@playwright/clipackage from the npm registry.\n - Evidence: Use of
npx --package @playwright/cliandnpm install -g @playwright/cli@latest.\n - Trust Status: Per [TRUST-SCOPE-RULE], this finding is downgraded to LOW as the package is maintained by Microsoft, a trusted organization.\n- [Data Exfiltration] (MEDIUM): Browser automation facilitates the capture and potential transmission of sensitive data from both local and remote origins.\n
- Evidence: Commands like
snapshot,screenshot, andtracing-startallow the agent to extract and save state from the browser, which could include credentials, personal data, or internal system information.\n- [Command Execution] (MEDIUM): The skill relies on executing terminal commands via a wrapper script (playwright_cli.sh) to control browser behavior.
Recommendations
- AI detected serious security threats
Audit Metadata