playwright-mastery
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [Dynamic Execution] (MEDIUM): The skill exposes
playwright-cli evalandplaywright-cli run-codecommands. These allow for the execution of arbitrary JavaScript strings within the browser context, which can be used to bypass security controls or perform unauthorized actions if the input is manipulated. - [Indirect Prompt Injection] (LOW): This skill has a significant attack surface for indirect prompt injection because it is designed to ingest and interact with untrusted third-party web content.
- Ingestion points:
playwright-cli open,goto,snapshot(extracts page structure), andeval(extracts text or data). - Boundary markers: Absent. There are no instructions for the agent to ignore instructions embedded in the HTML or DOM of the pages it visits.
- Capability inventory: The skill can perform sensitive operations including
click,fill,upload(local file access),state-save(credential/cookie extraction), andrun-code(arbitrary browser-side code execution). - Sanitization: Absent. The skill does not provide mechanisms to sanitize or filter content retrieved from the web before the agent processes it.
- [Data Exposure & Exfiltration] (LOW): The
state-saveandstate-loadcommands allow for the extraction and restoration of browser session states (cookies, localStorage, etc.). While intended for legitimate automation, these commands facilitate the handling of sensitive authentication tokens.
Audit Metadata