playwriter
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill facilitates the execution of arbitrary JavaScript/Playwright code using the
-eflag and theexecutetool. This code runs directly in the user's active browser session. Evidence:playwriter -s 1 -e 'await page.goto("https://example.com")'and theexecutetool description inSKILL.md.\n- [REMOTE_CODE_EXECUTION]: Installation instructions require fetching theplaywriterpackage from NPM usingnpxornpm install -g. These commands download and execute code from a third-party registry without version pinning or integrity checks. Evidence:npm install -g playwriterandnpx -y playwriter@latestinSKILL.md.\n- [DATA_EXFILTRATION]: The skill's primary design is to access authenticated browser states, including cookies, sessions, and extensions. It includes specific tools for network request interception and screen recording, which can be used to extract sensitive information from the browser. Evidence:page.on("request", r => state.requests.push(r.url()))andrecording.start()examples inSKILL.md.\n- [COMMAND_EXECUTION]: A remote relay server feature allows the browser to be controlled from another machine over a WebSocket connection. Evidence:playwriter serve --token my-secretinSKILL.md.\n- [PROMPT_INJECTION]: The skill ingests untrusted data from external websites, creating a surface for indirect prompt injection.\n - Ingestion points:
snapshot({ page }),getPageMarkdown(), andgetCleanHTML()inSKILL.mdread content from visited websites.\n - Boundary markers: None identified; instructions do not specify delimiters to isolate web content from agent commands.\n
- Capability inventory: The skill has access to
Bash,Write, and arbitrary browser code execution (playwriter -e).\n - Sanitization: No evidence of sanitization or filtering of the ingested web content before it is processed by the agent.
Audit Metadata