Skills
skills/testdino-hq/playwright-skill/playwright-cli/Gen Agent Trust Hub

playwright-cli

Fail

Audited by Gen Agent Trust Hub on Mar 14, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill features a run-code command that executes arbitrary JavaScript strings within the browser context. The documentation demonstrates that this environment has access to Node.js built-in modules like fs, allowing the agent to read and write files on the host machine beyond the browser's sandbox.
  • Evidence: Examples in request-mocking.md and running-custom-code.md show usage of require('fs') and download.saveAs to interact with local paths like /tmp/export.csv.
  • [COMMAND_EXECUTION]: The skill is configured to allow the agent to execute a wide range of browser automation tasks through the playwright-cli binary using a Bash tool interface.
  • Evidence: The allowed-tools section in SKILL.md specifies Bash(playwright-cli:*).
  • [DATA_EXFILTRATION]: The skill provides numerous methods to extract sensitive information from the browser, including the ability to list and get cookies, localStorage, sessionStorage, and the system clipboard. This data can be saved to local files or processed by the agent.
  • Evidence: Commands such as cookie-list, localstorage-get, and clipboard reading examples in storage-and-auth.md and running-custom-code.md.
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of browser binaries and configuration from external sources during its setup process.
  • Evidence: playwright-cli install-browser and playwright-cli install --skills commands described in SKILL.md.
  • [PROMPT_INJECTION]: As the skill is designed to navigate to and extract data from arbitrary third-party websites, it is inherently vulnerable to indirect prompt injection. Malicious content on visited pages could contain instructions aimed at manipulating the agent's behavior.
  • Evidence: The core functionality described in SKILL.md involves opening and interacting with external URLs, creating an ingestion point for untrusted data.
  • [CREDENTIALS_UNSAFE]: The skill facilitates the management of authentication states by allowing session tokens and cookies to be saved to and loaded from unencrypted local JSON files.
  • Evidence: The state-save and state-load commands detailed in storage-and-auth.md.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 14, 2026, 01:33 AM