Skills
skills/subhankaladi/yt-personal-ai-employe-ftes/browsing-with-playwright/Gen Agent Trust Hub

browsing-with-playwright

Warn

Audited by Gen Agent Trust Hub on Mar 9, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The scripts/start-server.sh script utilizes npx to download and execute the @playwright/mcp@latest package from the NPM registry at runtime.
  • [REMOTE_CODE_EXECUTION]: The browser_run_code and browser_evaluate tools (documented in references/playwright-tools.md) allow for the execution of arbitrary JavaScript snippets within the browser context.
  • [DATA_EXFILTRATION]: The browser_file_upload tool accepts absolute file paths, which could potentially be used to access and upload sensitive local files if the agent is directed to do so by malicious input.
  • [COMMAND_EXECUTION]: The scripts/mcp-client.py script employs subprocess.Popen with shell=True when using the stdio transport, which is a common pattern for executing shell commands.
  • [PROMPT_INJECTION]: The skill's primary function involves processing data from external websites, creating a surface for indirect prompt injection. 1. Ingestion points: Web content retrieved via browser_navigate. 2. Boundary markers: None identified in the provided files. 3. Capability inventory: Arbitrary JS execution (browser_run_code), file uploads (browser_file_upload), and shell command execution in the client script. 4. Sanitization: No explicit sanitization of web content before processing is evident in the provided scripts.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 9, 2026, 12:24 PM