ux-review
Fail
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The
SKILL.mdfile instructs users to runnpm install -g @playwright/cli@latest. While the@playwrightscope is owned by Microsoft, the instructions subsequently use the commandplaywright-cliwith a non-standard--skillsflag. The official Playwright CLI command isplaywright. This discrepancy indicates the skill may be attempting to trick users into running an unofficial or malicious binary.\n- REMOTE_CODE_EXECUTION (HIGH): The skill's workflow depends on executingplaywright-cli install --skills. Since this command does not exist in the official Playwright toolkit, it represents the execution of unverified and potentially malicious code on the host system.\n- COMMAND_EXECUTION (HIGH): Multiple agent files (e.g.,accessibility.md,visual-design.md) useplaywright-cli evalto execute arbitrary JavaScript code within the browser context. Given the questionable provenance of the CLI tool and the ability to execute code, this poses a severe security risk.\n- PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8). It ingests untrusted data from web pages viaplaywright-cli snapshotand processes it using LLMs without sanitization or boundary markers. Evidence:\n - Ingestion points:
playwright-cli snapshotis used across all agent files to read page content.\n - Boundary markers: None present in the agent instructions to separate instructions from content.\n
- Capability inventory: Extensive browser interaction including
playwright-cli eval(JavaScript execution),click, andfill.\n - Sanitization: No sanitization or validation of the ingested content is performed before processing.
Recommendations
- AI detected serious security threats
Audit Metadata