playwright-skill
Warn
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DYNAMIC_EXECUTION]: The skill employs a universal executor (
run.js) that creates and executes temporary JavaScript files at runtime based on agent-generated code or user input.\n- [INDIRECT_PROMPT_INJECTION]: The skill is designed to navigate to and extract data from external, untrusted websites, which can serve as a vector for malicious instructions targeting the agent.\n - Ingestion points: Page content, metadata, and console logs from external URLs are processed by the agent as shown in
SKILL.mdandlib/helpers.js.\n - Boundary markers: The
SKILL.mdfile contains documentation warnings regarding untrusted content, but the skill lacks technical delimiters or markers to prevent the agent from obeying instructions embedded in web content.\n - Capability inventory: The skill has file system write access (
run.js), network access (via Playwright), and a mechanism for code execution.\n - Sanitization: No explicit sanitization or validation of external web data is performed before it is ingested into the agent context.\n- [REMOTE_CODE_EXECUTION]: The skill's architecture allows for the execution of custom scripts that can perform network requests and interact with the local environment, which could be leveraged if the agent is influenced by malicious instructions or data.
Audit Metadata