playwright-cli

Warn

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill is built entirely around a shell interface (playwright-cli) that allows the agent to execute arbitrary commands, launch browser processes, and run tests via npx playwright test as seen in SKILL.md and references/playwright-tests.md.
  • [REMOTE_CODE_EXECUTION]: The run-code command allows the agent to execute arbitrary JavaScript snippets within the browser context. Examples in references/running-code.md demonstrate execution of logic that can interact with the DOM, modify browser permissions, and handle file downloads.
  • [CREDENTIALS_UNSAFE]: The skill provides commands to export and import full browser storage states, including cookies and session tokens, to local JSON files (playwright-cli state-save and state-load). While references/storage-state.md includes warnings about committing these files to version control, the capability to harvest and store active session credentials locally is present.
  • [DATA_EXFILTRATION]: The skill includes extensive data collection capabilities, including screenshot, pdf generation, tracing (capturing network bodies/headers), and console log extraction. These tools can be used to capture and store sensitive information displayed on web pages or transmitted in API requests.
  • [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from web pages via snapshot and eval commands. This creates a surface where malicious content on a website could influence the agent's behavior.
  • Ingestion points: snapshot, eval, network, and console outputs (various files).
  • Boundary markers: None explicitly defined to separate untrusted page content from agent instructions during script generation.
  • Capability inventory: Full shell access, arbitrary JavaScript execution (run-code), file writing (screenshot, state-save), and network interaction.
  • Sanitization: No explicit sanitization of DOM content before it is processed by the agent to generate further automation steps.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 16, 2026, 04:21 PM
Security Audit — agent-trust-hub — playwright-cli