playwright-cli
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- Data Exposure & Exfiltration (HIGH): The skill provides commands to directly access and export sensitive authentication data.
playwright-cli cookie-listandcookie-getallow extraction of session tokens.playwright-cli state-save auth.jsonexports the entire browser authentication state to a file.playwright-cli localstorage-listandsessionstorage-listcan expose PII or tokens stored in browser storage.- Dynamic Execution & RCE (HIGH): The skill allows execution of arbitrary JavaScript and Playwright code within the browser context.
playwright-cli eval "code"andplaywright-cli run-code "code"enable the agent to run any script on the current page.- This is particularly dangerous if the agent is directed to run code based on content found on an untrusted website (Indirect Prompt Injection).
- Indirect Prompt Injection (LOW): As a browser automation tool, the primary input is untrusted web content.
- Ingestion points:
playwright-cli snapshot,playwright-cli eval, and page navigation. - Capability inventory: Full network access via the browser, file writes (
screenshot,pdf,state-save), and arbitrary JS execution. - Risk: A malicious website could contain instructions that trick the agent into using its
cookie-getorrun-codetools to exfiltrate data to an attacker-controlled endpoint. - Privilege Escalation & System Modification (MEDIUM): The skill includes commands that modify the host system.
playwright-cli install-browserandplaywright-cli install --skillsdownload and execute external binaries/scripts.playwright-cli open --profile=/path/to/profileallows the agent to interact with arbitrary directories on the filesystem, potentially targeting sensitive user data or configuration files.
Recommendations
- AI detected serious security threats
Audit Metadata