playwright-browser-run-code

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This skill exposes an explicit remote code execution capability — it runs arbitrary JavaScript Playwright snippets supplied as input (a classic RCE surface) which can be trivially abused to harvest page data, credentials, tokens, and send them to external endpoints even though no malicious payload is present in the skill itself.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The SKILL.md defines a browser_run_code tool that accepts arbitrary Playwright JavaScript (the required "code" argument) which is invoked with a page object for "any page interaction", meaning the agent can navigate to and read arbitrary public web pages (third‑party/untrusted content) that could contain instructions and thus materially influence subsequent actions.