playwright
Warn
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The
run.jsscript implements a dynamic execution wrapper that reads arbitrary JavaScript code from file paths, command-line arguments, or standard input. It wraps this code in a template, writes it to a new temporary file within the skill directory, and executes it using the Node.jsrequire()function. This allows for the runtime generation and execution of arbitrary logic. - [EXTERNAL_DOWNLOADS]: The skill includes logic to automatically install the
playwrightpackage and its required browser binaries (Chromium) from external sources, specifically the NPM registry and Microsoft's distribution infrastructure, during setup or when the runner detects missing dependencies. - [COMMAND_EXECUTION]: The skill utilizes
child_process.execSyncinrun.jsto perform installation tasks. Additionally, it instructs the agent to execute shell commands vianode -efor detecting local development servers during its normal workflow. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to navigate and interact with untrusted third-party web content. There are no explicit instructions or boundary markers to prevent the agent from following malicious commands that might be embedded in the HTML or text of the pages it automates.
- [DATA_EXFILTRATION]: Because the skill provides full browser automation capabilities, it possesses the technical surface to access local files via the
file://protocol or probe internal network services, which could be leveraged to transmit sensitive data to external domains if the agent is misdirected.
Audit Metadata