playwright-cli-agent
Warn
Audited by Gen Agent Trust Hub on May 13, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user/agent to install a global NPM package using
npm install -g @playwright/cli@latest. This package name does not correspond to the official Playwright packages maintained by Microsoft (e.g.,playwrightor@playwright/test), posing a potential supply chain risk through typosquatting or unverified third-party code. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because its core functionality involves navigating to and interacting with external, potentially untrusted web applications via
playwright-cli openandplaywright-cli goto. - Ingestion points: Web page content, DOM snapshots, console logs, and network signals are read into the agent's context (SKILL.md, references/live-browser-workflow.md).
- Boundary markers: No delimiters or instructions are provided to treat the browser's output as untrusted data or to ignore embedded commands.
- Capability inventory: The agent has access to powerful tools including file reading (
rtk read), code searching (rtk grep), and shell execution (rtk npm run build), which could be targeted by instructions hidden in a malicious web page. - Sanitization: No sanitization or validation of external browser data is mentioned.
- [COMMAND_EXECUTION]: The skill's primary workflow relies on executing a
playwright-clibinary. If this binary is associated with the unverified NPM package mentioned above, it could execute arbitrary code on the host system with the privileges of the agent. - [PROMPT_INJECTION]: There is a discrepancy in metadata where the
authorfield inSKILL.mdis set toredis, while the skill is identified as being authored byfcenedes. This deceptive metadata could lead to a misjudgment of the skill's origin and security profile.
Audit Metadata