playwright-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly navigates to and ingests content from arbitrary external URLs via the "open " command (see SKILL.md and references/command-reference.md), scrapes and evals page DOM and network/console logs, and directs the agent to decide actions based on that page content—i.e., it consumes untrusted public web content that can materially influence subsequent tool use.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill's bootstrap steps explicitly install and run remote packages (e.g., "npm install -g @anthropic-ai/playwright-cli" and "PLAYWRIGHT_SKIP_VALIDATE_HOST_REQUIREMENTS=true npx playwright install chromium"), which fetch and execute remote code at runtime (example package URL: https://www.npmjs.com/package/@anthropic-ai/playwright-cli) and are required dependencies for the skill.