playwright-cli
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides tools for executing arbitrary JavaScript code within the browser context via
playwright-cli evalandplaywright-cli run-code. This allows for dynamic execution based on agent-generated or potentially external inputs. - [EXTERNAL_DOWNLOADS]: The instructions recommend using
npx playwright-cli, which facilitates the download and execution of the package from the public npm registry at runtime if it is not already present. - [DATA_EXFILTRATION]: The skill includes extensive functionality for accessing and extracting sensitive browser data, including cookies (
cookie-get), LocalStorage, and SessionStorage. It also allows saving full authentication states (including session tokens) to local files usingstate-save. - [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection.
- Ingestion points: External websites via
gotoandopencommands in SKILL.md. - Boundary markers: The snapshot mechanism described in the 'Snapshots' section does not specify delimiters or warnings to ignore instructions found within page content.
- Capability inventory: The skill has significant capabilities, including file system writes (
state-save,screenshot), sensitive data reading (cookie-get), and arbitrary code execution (eval). - Sanitization: There is no evidence of sanitization or filtering for the data extracted from web snapshots before it is presented to the agent.
Audit Metadata