run-playwright

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's workflow and examples (SKILL.md and the references like references/async-and-advanced.md and orchestrator-guide.md) explicitly call out browsing arbitrary public URLs via commands such as open (including examples like open "https://www.amazon.com/..."), and then use snapshot/eval/run-code to read and act on page content, so it clearly ingests untrusted third-party web content that can influence subsequent tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill bootstraps by installing a remote CLI package (npm install -g @anthropic-ai/playwright-cli@latest which fetches code from the npm registry at https://registry.npmjs.org/@anthropic-ai/playwright-cli), so runtime fetches and installs remote code the skill depends on and which will be executed — presenting a clear external-code execution dependency.