playwright-cli
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides the
run-codeandevalcommands, which enable the execution of arbitrary JavaScript and Playwright code within the browser and local environment. This is a high-privilege feature that could be used to execute malicious logic if the agent is misled. Evidence: SKILL.md, references/running-code.md. - [CREDENTIALS_UNSAFE]: Through commands like
state-save,cookie-list, andcookie-get, the skill can access and persist sensitive browser state. This data frequently contains authentication tokens and session identifiers that could be compromised if stored insecurely. Evidence: references/storage-state.md. - [DATA_EXFILTRATION]: The
tracing-startfeature captures comprehensive network logs, including all HTTP request/response headers and bodies. This can lead to the accidental capture of secrets like passwords or bearer tokens during automation. Evidence: references/tracing.md. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes content from arbitrary external websites visited via the
openorgotocommands. - Ingestion points: External web content is ingested through browser snapshots and DOM extraction commands (SKILL.md).
- Boundary markers: There are no explicit delimiters or instructions provided to the agent to disregard commands found within the processed web data.
- Capability inventory: The skill has extensive capabilities including arbitrary code execution (
run-code), file writing (state-save,screenshot), and network monitoring. - Sanitization: No sanitization or filtering of the page content is performed before it is returned as a snapshot to the agent.
Audit Metadata