playwriter
Fail
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill provides the ability to execute arbitrary JavaScript and Playwright code within a browser session via the
-eflag and theexecuteMCP tool. This allows the agent to perform any action a user could in the browser environment. - [DATA_EXFILTRATION]: The skill connects to a running Chrome instance rather than a headless one, exposing all active user sessions, authentication cookies, and saved credentials to the agent. It also features a
playwriter servecommand that creates a WebSocket tunnel for remote access, which could be exploited for unauthorized access or silent harvesting of session data. - [EXTERNAL_DOWNLOADS]: The skill requires the installation of a third-party Chrome extension (ID: jfeammnjpkecdekppnclgkkffahnhfhe) and a global NPM package (
playwriter) from an external repository (remorses/playwriter). - [COMMAND_EXECUTION]: The skill relies on multiple CLI commands for browser interaction, session management, and setting up remote tunnels.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection by ingesting untrusted data from external websites.
- Ingestion points:
snapshot({ page }),getCleanHTML(), andgetPageMarkdown()retrieve raw content from web pages. - Boundary markers: Absent; web content is processed directly by the agent without isolation delimiters.
- Capability inventory: Execution of arbitrary code, manipulation of authenticated browser sessions, and data exfiltration via tunnels.
- Sanitization: No evidence of sanitization or filtering of external instructions embedded in web content or metadata.
Recommendations
- AI detected serious security threats
Audit Metadata