playwright-browser-run-code
Fail
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The tool
browser_run_codeinSKILL.mdaccepts a JavaScript function as a string via thecodeargument and executes it directly on a page instance. This functionality allows for arbitrary code execution within the browser's security context.\n- [REMOTE_CODE_EXECUTION]: The skill facilitates the execution of dynamic logic provided at runtime. Because the agent may generate this code based on external inputs or instructions, it presents a significant risk of remote code execution if an attacker can manipulate the input to the code generation process.\n- [PROMPT_INJECTION]: The skill provides a surface for indirect prompt injection attacks where malicious instructions from visited websites could influence the agent's behavior.\n - Ingestion points: Untrusted data enters the agent's context when it navigates to or parses content from external web pages using the browser tool.\n
- Boundary markers: There are no explicit boundary markers or instructions provided in the skill to distinguish between trusted system instructions and untrusted data scraped from the web.\n
- Capability inventory: The skill has access to the full Playwright API, enabling it to interact with any page element, read cookies, access local storage, and perform network requests from the browser.\n
- Sanitization: There is no evidence of sanitization, validation, or sandboxing of the JavaScript code before it is passed to the execution environment.
Recommendations
- AI detected serious security threats
Audit Metadata