browser-max-automation
Pass
Audited by Gen Agent Trust Hub on May 2, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs users to install the Playwright MCP server using
npx @playwright/mcp@latest, which downloads content from the official npm registry.\n- [COMMAND_EXECUTION]: Detailed instructions are provided for launching Microsoft Edge with the--remote-debugging-port=9222flag to allow CDP-based automation.\n- [REMOTE_CODE_EXECUTION]: The toolbrowser_evaluateis documented for executing arbitrary JavaScript code within the browser context to manipulate the DOM.\n- [DATA_EXFILTRATION]: Use of the CDP endpoint enables the agent to interact with existing browser sessions, potentially accessing sensitive information like cookies and active login states.\n- [PROMPT_INJECTION]: The skill is inherently vulnerable to indirect prompt injection (Category 8) as it processes data from untrusted external websites.\n - Ingestion points: Web page content is ingested through
browser_navigateandbrowser_snapshot(SKILL.md).\n - Boundary markers: The skill does not implement or recommend the use of delimiters to isolate untrusted web content from instructions.\n
- Capability inventory: The skill allows for high-impact actions including simulated user input (
browser_type), navigation, and arbitrary script execution (browser_evaluate) (SKILL.md).\n - Sanitization: No sanitization or validation logic for external web content is described in the instructions.
Audit Metadata