e2e
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest and process untrusted data from external websites.
- Ingestion points:
playwright-cli openandplaywright-cli snapshot(references/component-exploration.md). - Boundary markers: None identified; the agent is instructed to identify interactive elements directly from the accessibility tree output.
- Capability inventory: Extensive capabilities including
click,fill, andeval(JavaScript execution). - Sanitization: None mentioned.
- Risk: A malicious webpage could contain hidden text or metadata designed to hijack the agent's logic, leading it to execute unauthorized commands or exfiltrate data.
- Remote Code Execution (HIGH): The
playwright-cli evalcommand (references/component-exploration.md) allows for the execution of arbitrary JavaScript code within the context of the browser. This provides an attacker-controlled webpage a path to execute logic via the agent, potentially accessinglocalStorage, session cookies, or performing actions on behalf of a logged-in user. - Data Exfiltration (MEDIUM): The skill provides tools for monitoring internal application state.
- Evidence:
playwright-cli networkandplaywright-cli console(references/component-exploration.md) can expose sensitive data such as API keys in request headers, JWTs, and internal system logs to the agent's output context. - Command Execution (HIGH): The skill relies on an external utility
playwright-cli. While the tool's source is not explicitly provided, it grants the agent broad power to interact with the host's network and file system (via screenshots and potential downloads).
Recommendations
- AI detected serious security threats
Audit Metadata