playwright-cli
Fail
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to install
@playwright/cliglobally vianpm. This package name appears to impersonate the official Playwright project, as legitimate installations typically use theplaywrightpackage ornpx playwright. This unverified external dependency represents a supply chain risk.\n- [REMOTE_CODE_EXECUTION]: Therun-codeandevalcommands allow for the execution of arbitrary JavaScript and Playwright code within the agent's Node.js environment and the browser context. This provides a direct path for executing untrusted scripts generated by the agent or derived from external content.\n- [COMMAND_EXECUTION]: The skill requests broad permissions forBash(playwright-cli:*),Bash(npx:*), andBash(npm:*). This allows the agent to execute arbitrary shell commands, install unverified software, and run local test scripts, which could be abused for malicious purposes.\n- [DATA_EXFILTRATION]: The skill includes extensive capabilities for reading sensitive session data, including cookies, localStorage, and session state (e.g.,cookie-list,cookie-get,state-save). When combined with the ability to navigate to arbitrary URLs (goto) or execute code (eval), this creates a high risk for the harvesting and exfiltration of authentication tokens and user data.\n- [PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection because it ingests untrusted data from web pages and possesses high-impact capabilities that could be triggered by instructions embedded in those pages.\n - Ingestion points:
playwright-cli open,goto, andsnapshotinSKILL.mdread untrusted content into the agent's context.\n - Boundary markers: No delimiters or instructions are provided to the agent to ignore instructions embedded in the processed web content.\n
- Capability inventory:
run-code,eval,state-save,cookie-list, andnpx playwright test(identified inSKILL.md,running-code.md, andplaywright-tests.md) allow for data theft and code execution.\n - Sanitization: No validation or sanitization of external content is mentioned before it is processed or acted upon.
Recommendations
- AI detected serious security threats
Audit Metadata