playwright-cli
Warn
Audited by Gen Agent Trust Hub on Apr 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill exposes a comprehensive CLI interface (
playwright-cli) allowing the agent to perform a wide range of browser interactions and shell-based automation tasks. - [REMOTE_CODE_EXECUTION]: The
run-codecommand enables the execution of arbitrary JavaScript within the browser context. Documentation inreferences/running-code.mdexplicitly shows how to use this for file system operations (download.saveAs) and complex page manipulation, which could be exploited to run malicious scripts. - [CREDENTIALS_UNSAFE]: The skill facilitates the management of sensitive authentication data through commands like
state-save,state-load,cookie-set, andcookie-get. These tools can be used to extract, store, or inject session tokens and cookies. - [DATA_EXFILTRATION]: Features such as
screenshot,pdf, andevalallow for the extraction of data from web pages. Additionally, therun-codefeature can be used to programmatically read the system clipboard and local storage. - [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection because it fetches and processes content from external websites which is then returned to the agent.
- Ingestion points: Untrusted data enters the agent context through
playwright-cli snapshot,playwright-cli eval, andplaywright-cli consoleoutputs. - Boundary markers: Absent. The instructions do not specify any delimiters or warnings to the agent regarding the untrusted nature of the processed web content.
- Capability inventory: The skill possesses capabilities for network requests (
goto), file writing (screenshot,state-save), and arbitrary code execution (run-code). - Sanitization: Absent. There is no mechanism described for sanitizing or filtering web content before it is presented to the agent.
Audit Metadata