playwright

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly grants the agent Playwright browser capabilities to "Open URLs" and "Data extraction: Read page content, extract text, query DOM elements" and instructs multi-step interactions (handling cookie banners, filling forms), which means the agent will fetch and interpret arbitrary public web pages (untrusted third-party content) as part of its workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's prerequisite runs "npx @playwright/mcp@latest" (fetching and executing the @playwright/mcp npm package at runtime), which downloads and executes remote code the skill depends on, so it is a runtime external dependency that can execute code.