playwriter
Warn
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to download and run the
playwriterpackage directly from the npm registry usingnpx playwriter@latestorbunx playwriter@latest. - [COMMAND_EXECUTION]: Local shell commands are used to invoke the
playwriterCLI tool to interact with the browser environment. - [REMOTE_CODE_EXECUTION]: The skill provides the ability to execute arbitrary JavaScript code snippets within the browser's context using the
-eflag. Additionally, the instruction to runplaywriter skillto fetch documentation at runtime constitutes dynamic loading of logic that is not visible in the provided skill files. - [DATA_EXFILTRATION]: The skill connects to the user's existing Chrome browser instance rather than a fresh session. This gives the agent access to active authenticated sessions, cookies, and private history on sensitive sites such as Instagram and Twitter, posing a risk of session theft or data exposure.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it is designed to ingest and process content from external, third-party websites which may contain malicious instructions targeting the agent's browser control capabilities.
- Ingestion points: Content from external websites loaded via
page.gotoinside the Playwright execution strings. - Boundary markers: Absent; there are no instructions to delineate or treat external web content as untrusted.
- Capability inventory: Shell command execution and arbitrary browser-level JavaScript execution.
- Sanitization: None described; the skill does not specify any methods for validating data retrieved from the web.
Audit Metadata