browsing-with-playwright

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). Flagged: SKILL.md (Navigation and Data Extraction workflows) and references/playwright-tools.md explicitly allow browser_navigate to arbitrary URLs plus browser_snapshot and browser_run_code/browser_evaluate to read and act on page content, meaning the agent will fetch and interpret untrusted public web pages that can materially influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill starts an MCP server at runtime using npx (e.g., "npx @playwright/mcp@latest --port 8808 --shared-browser-context" in scripts/start-server.sh and the stdio example "npx -y @modelcontextprotocol/server-github" in mcp-client usage), which fetches and executes remote npm package code required for the skill to run, so it is a runtime fetch-and-execute dependency.