playwright-web-automation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt directs the agent to analyze recorded scripts and "extract hardcoded values" (e.g., .fill('xxx')) into top-level constants/parameters and to have users paste recorded code back, which would cause any credentials entered during recording to be read and potentially emitted verbatim.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly automates browsing arbitrary target URLs (SKILL.md Step A: "npx playwright codegen <目标URL>") and the examples (examples/diagramgpt.mjs) show navigating to https://www.eraser.io/diagramgpt, reading iframe DOM, reacting to follow‑up questions and button/text state, so untrusted third‑party page content is fetched and interpreted to drive actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's HTML loads and executes the Mermaid module at runtime from https://cdn.jsdelivr.net/npm/mermaid@11/dist/mermaid.esm.min.mjs (via import in the page content), which is a required external dependency used to execute remote code for rendering diagrams.