Skills
skills/trailofbits/skills-curated/openai-playwright/Gen Agent Trust Hub

openai-playwright

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS] (LOW): The skill downloads and executes the @playwright/cli package via npx and npm. While this involves fetching external code at runtime, the dependency is maintained by Microsoft (a trusted organization), which qualifies for a severity downgrade per the [TRUST-SCOPE-RULE].
  • [COMMAND_EXECUTION] (LOW): The skill provides eval and run-code commands that allow the agent to execute arbitrary JavaScript within the browser environment. While powerful, these are standard features for browser automation and are restricted to the browser's sandbox.
  • [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it processes untrusted data from the web.
  • Ingestion points: Untrusted data enters the context through pwcli snapshot, pwcli eval, and pwcli network (found in SKILL.md and references/workflows.md).
  • Boundary markers: There are no explicit delimiters or instructions provided to the agent to ignore instructions embedded within the retrieved web content.
  • Capability inventory: The skill has access to high-privilege tools including Bash, Write, and Edit (specified in SKILL.md).
  • Sanitization: No sanitization or filtering of the ingested web content is performed before it is presented to the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:37 PM