Skills
skills/mineru98/skills-store/playwright-cli/Gen Agent Trust Hub

playwright-cli

Warn

Audited by Gen Agent Trust Hub on May 9, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The run-code command allows the agent to execute arbitrary asynchronous JavaScript and Playwright API calls within the browser environment. Examples in references/running-code.md demonstrate advanced capabilities such as managing permissions, interacting with the clipboard, and executing custom JavaScript snippets on pages. This represents a dynamic execution surface within the browser context.\n- [DATA_EXFILTRATION]: The skill provides tools for retrieving sensitive user data from the browser, including cookies, local storage, and session storage (e.g., cookie-get, localstorage-list). The storage state can be saved to files using state-save, which may contain authentication tokens or session identifiers. Access to navigator.clipboard is also documented.\n- [EXTERNAL_DOWNLOADS]: The SKILL.md file suggests using npx playwright-cli, which downloads and executes the package from the official NPM registry if it is not already installed locally. While the source is a well-known registry, it remains an external dependency for the skill's operation.\n- [COMMAND_EXECUTION]: The agent is given broad permission to execute playwright-cli commands, which include browser session management, network request mocking (routing), and direct DOM interaction via CSS selectors and roles.\n- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection as it processes content from external, untrusted websites without sanitization while possessing powerful capabilities (writing to files, executing code, clicking elements). Web content could contain hidden instructions that influence the agent's behavior during the session.\n
  • Ingestion points: SKILL.md (via goto and open commands).\n
  • Boundary markers: None identified; there are no instructions to treat page content as untrusted data or use specific delimiters.\n
  • Capability inventory: run-code, eval, fill, click, cookie-set, state-save (across various files).\n
  • Sanitization: None; the skill directly interacts with elements and executes code based on the current page state.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 9, 2026, 02:35 PM