Skills
skills/nickcrew/claude-cortex/playwright-cli/Gen Agent Trust Hub

playwright-cli

Warn

Audited by Gen Agent Trust Hub on Mar 29, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The commands run-code and eval allow for the execution of arbitrary JavaScript and Playwright code within the browser context. This provides full control over the session but also enables the execution of unverified logic at runtime.
  • [DATA_EXFILTRATION]: The skill contains numerous commands for extracting data from the browser to the local environment, including cookie-get, localstorage-get, screenshot, and pdf. Specifically, the tracing-start feature captures comprehensive network logs, which typically include sensitive authorization headers and private data within request/response bodies.
  • [CREDENTIALS_UNSAFE]: The state-save and state-load functions are explicitly designed to save browser authentication states—including cookies and local storage tokens—to local JSON files (e.g., auth.json). This practice creates a risk of credential theft if the resulting files are not managed with strict security controls.
  • [EXTERNAL_DOWNLOADS]: The install-browser and install-skills commands facilitate the automated download and installation of external browser binaries and additional components from remote network sources.
  • [COMMAND_EXECUTION]: The skill is built around a custom CLI wrapper, playwright-cli, which executes various shell-level operations for browser management, file system writes, and network configuration.
  • [PROMPT_INJECTION]: The skill possesses a significant attack surface for Indirect Prompt Injection due to its interaction with untrusted web content.
  • Ingestion points: Untrusted data enters the agent's context through web page content (snapshot, page.content(), eval), console logs, and network interception (network, tracing).
  • Boundary markers: There are no specified delimiters or instructions to treat web-derived content as untrusted data or to ignore instructions embedded within it.
  • Capability inventory: The skill has powerful capabilities including file system writes (screenshot, state-save), arbitrary code execution (eval, run-code), and network manipulation (route).
  • Sanitization: There is no evidence of sanitization or validation of the data retrieved from the web before it is processed by the agent or used to influence subsequent actions.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 29, 2026, 05:13 PM