playwright-cli

Fail

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs the agent to install @playwright/cli globally via npm. This package name appears to impersonate the official Playwright project, as legitimate installations typically use the playwright package or npx playwright. This unverified external dependency represents a supply chain risk.\n- [REMOTE_CODE_EXECUTION]: The run-code and eval commands allow for the execution of arbitrary JavaScript and Playwright code within the agent's Node.js environment and the browser context. This provides a direct path for executing untrusted scripts generated by the agent or derived from external content.\n- [COMMAND_EXECUTION]: The skill requests broad permissions for Bash(playwright-cli:*), Bash(npx:*), and Bash(npm:*). This allows the agent to execute arbitrary shell commands, install unverified software, and run local test scripts, which could be abused for malicious purposes.\n- [DATA_EXFILTRATION]: The skill includes extensive capabilities for reading sensitive session data, including cookies, localStorage, and session state (e.g., cookie-list, cookie-get, state-save). When combined with the ability to navigate to arbitrary URLs (goto) or execute code (eval), this creates a high risk for the harvesting and exfiltration of authentication tokens and user data.\n- [PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection because it ingests untrusted data from web pages and possesses high-impact capabilities that could be triggered by instructions embedded in those pages.\n
  • Ingestion points: playwright-cli open, goto, and snapshot in SKILL.md read untrusted content into the agent's context.\n
  • Boundary markers: No delimiters or instructions are provided to the agent to ignore instructions embedded in the processed web content.\n
  • Capability inventory: run-code, eval, state-save, cookie-list, and npx playwright test (identified in SKILL.md, running-code.md, and playwright-tests.md) allow for data theft and code execution.\n
  • Sanitization: No validation or sanitization of external content is mentioned before it is processed or acted upon.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 20, 2026, 01:50 AM
Security Audit — agent-trust-hub — playwright-cli