playwright-skill
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The core logic in
run.jsreads arbitrary input from command-line arguments or stdin and executes it usingrequire(). In an AI agent context, this is a direct path to Remote Code Execution if the agent is tricked into passing malicious code instructions to the skill.\n- [COMMAND_EXECUTION] (MEDIUM): TheinstallPlaywrightfunction usesexecSyncto perform shell command execution. While intended for environment setup (npm install), this is a high-privilege operation that increases the skill's attack surface.\n- [DATA_EXFILTRATION] (MEDIUM): Because the skill executes code with full Node.js privileges, any script it runs can access sensitive local files (e.g.,~/.ssh/id_rsa,.env) and transmit them to external servers via the network.\n- [PROMPT_INJECTION] (LOW): The skill is highly vulnerable to Indirect Prompt Injection because it provides a high-privilege execution environment for data ingested from untrusted external sources (web pages).\n - Ingestion points:
getCodeToExecute()inrun.jsreads raw input from arguments and stdin.\n - Boundary markers: None; the input is wrapped in a template and executed directly.\n
- Capability inventory: Full filesystem access (
fs), network access, and shell execution (execSync).\n - Sanitization: No validation or sanitization is performed on the code before it is written to a temporary file and executed.
Recommendations
- AI detected serious security threats
Audit Metadata