Skills
skills/bighardperson/computer-science-skills-collection/playwright-browser-automation/Gen Agent Trust Hub

playwright-browser-automation

Fail

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill recommends a highly insecure system configuration in the 'Sudoers Setup' section.
  • Evidence: SKILL.md suggests adding username ALL=(root) NOPASSWD: /usr/bin/npx playwright install-deps * and username ALL=(root) NOPASSWD: /usr/bin/npx playwright install * to the /etc/sudoers.d/playwright file.
  • Risk: Granting passwordless root access (NOPASSWD) to npx (Node Package Runner) with wildcard arguments (*) is a critical security flaw. An attacker could potentially bypass the intended command and execute arbitrary code or malicious packages as the root user, leading to a complete system compromise.
  • [EXTERNAL_DOWNLOADS]: The skill downloads the Playwright automation framework and browser binaries from official sources.
  • Evidence: The installation instructions in SKILL.md include npm install -g playwright and npx playwright install chromium.
  • Context: These downloads are from well-known sources and are part of the intended functionality for browser automation.
  • [PROMPT_INJECTION]: The skill's primary purpose—web browsing and data extraction—inherently exposes the agent to indirect prompt injection.
  • Ingestion points: The skill uses page.goto(url) to load content from untrusted external websites into the agent's context (SKILL.md, examples.py).
  • Boundary markers: The provided instructions do not include specific delimiters or warnings to help the agent distinguish between website data and its own system instructions.
  • Capability inventory: The skill utilizes the Bash tool and has broad capabilities, including file system access (writing screenshots, PDFs, and video files), network operations, and the ability to execute JavaScript in the browser context via page.evaluate().
  • Sanitization: No explicit sanitization or filtering of website content is implemented in the provided examples.
  • Risk: A malicious website could contain hidden instructions designed to manipulate the agent's behavior, exfiltrate sensitive data (such as authentication tokens stored in auth.json), or perform unauthorized actions on other sites using the agent's active session.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 19, 2026, 10:48 AM
Security Audit — agent-trust-hub — playwright-browser-automation