playwright-mcp-server
Pass
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses
npx @playwright/mcp@latestto download and execute the Playwright MCP server from the public NPM registry. - [COMMAND_EXECUTION]: Provides the
playwright_evaluatetool, which executes arbitrary JavaScript within the browser's page context. While powerful, this execution is isolated to the browser sandbox. - [DATA_EXFILTRATION]: The
playwright_screenshottool allows writing files to the local filesystem via thepathparameter, which could be used to export sensitive visual information from the browser to the host machine. - [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection because it ingests untrusted data from external websites that the agent processes.
- Ingestion points: External web content is retrieved via
playwright_navigate,playwright_snapshot, andplaywright_evaluateinSKILL.md. - Boundary markers: No explicit delimiters are used to wrap or isolate ingested web content from the agent's system instructions.
- Capability inventory: The agent has access to browser-side script execution (
playwright_evaluate), file system writes (playwright_screenshot), and network navigation (playwright_navigate). - Sanitization: No specialized filtering or sanitization of web content is mentioned before it is added to the agent's context.
Audit Metadata