Skills
skills/xiaojiongqian/skills-hub/playwright/Gen Agent Trust Hub

playwright

Fail

Audited by Gen Agent Trust Hub on Mar 18, 2026

Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill instructs the agent to source credentials from ~/.config/taledraw-test.env and retrieve passwords from the macOS Keychain using security find-generic-password -a talelens-test -s <service> -w. This creates a direct path for the agent to access and potentially expose sensitive user data.
  • [COMMAND_EXECUTION]: The skill relies on a bash wrapper script scripts/playwright_cli.sh to execute browser automation tasks. This script handles command-line arguments and executes the Playwright CLI, which can perform high-privilege browser operations and execute JavaScript via eval and run-code subcommands.
  • [EXTERNAL_DOWNLOADS]: The wrapper script uses npx --package @playwright/cli playwright-cli to download and execute code from the NPM registry at runtime. While Playwright is a well-known tool from Microsoft, fetching and executing remote packages introduces a dependency on external registry availability and integrity.
  • [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection because it is designed to ingest and process content from arbitrary websites. Malicious instructions on a target web page could be interpreted by the agent during snapshots or evaluations.
  • Ingestion points: Web content processed via snapshot and eval commands in scripts/playwright_cli.sh and documented in references/cli.md.
  • Boundary markers: The instructions do not define markers to separate untrusted web data from the agent's system instructions.
  • Capability inventory: The agent has access to terminal execution, browser control, and file system access (writing to output/playwright/).
  • Sanitization: There is no evidence of sanitization or filtering of the DOM content or JavaScript evaluation results before they are returned to the agent's context.
  • [DATA_EXFILTRATION]: The combination of accessing Keychain credentials and having the capability to interact with external websites via a browser creates a significant exfiltration surface if the agent is compromised by malicious instructions.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 18, 2026, 10:39 AM