playwright-testing
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill leverages Playwright MCP tools to perform browser interactions like clicking, typing, and navigating. This is standard functionality for automated testing skills.\n- [REMOTE_CODE_EXECUTION]: Through the use of
mcp__playwright__browser_evaluate, the skill executes dynamic JavaScript within the target browser environment. While necessary for deep testing of canvas/WebGL applications, it represents a form of remote code execution on the target site.\n- [EXTERNAL_DOWNLOADS]: Theimgdiff.pyscript included in the skill references thepillowlibrary. Pillow is a well-known, trusted, and widely-used Python package for image processing.\n- [PROMPT_INJECTION]: The skill has a surface for indirect prompt injection as it ingests and reasons over data retrieved from external, potentially untrusted web environments.\n - Ingestion points: Untrusted data is ingested via
mcp__playwright__browser_console_messages,mcp__playwright__browser_snapshot, and state data returned bymcp__playwright__browser_evaluate.\n - Boundary markers: The instructions do not specify any boundary markers or delimiters to help the agent distinguish between its own instructions and the data extracted from the browser.\n
- Capability inventory: The agent has the capability to navigate to arbitrary URLs, click/type on pages, and execute arbitrary JavaScript in the browser.\n
- Sanitization: There is no explicit sanitization or validation of the data extracted from the browser before it is passed to the agent for analysis.
Audit Metadata