playwright
Warn
Audited by Gen Agent Trust Hub on May 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to create JavaScript files (e.g., in
/tmp/screenshot.cjs) and execute them using thenodecommand. This dynamic script generation and execution pattern allows for arbitrary code execution on the local system. - [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection by navigating the browser to untrusted external URLs. Content from these websites could contain hidden instructions designed to override agent behavior.
- Ingestion points: Browser navigation to external URLs as defined in the examples within
SKILL.md. - Boundary markers: Absent; there are no instructions to sanitize or delimit content retrieved from the web.
- Capability inventory: Subprocess execution via
node, file system writes to/tmp/, and outbound network requests via the browser. - Sanitization: Absent; the skill does not specify any validation for URLs or page content.
- [DATA_EXFILTRATION]: The instructions contain hardcoded absolute paths (e.g.,
/Users/espen/node_modules/playwright) which expose the host system's username and directory structure.
Audit Metadata