Skills
skills/nogataka/skilllab/playwright-cli/Gen Agent Trust Hub

playwright-cli

Warn

Audited by Gen Agent Trust Hub on May 7, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill provides the playwright-cli eval command, which allows the execution of arbitrary JavaScript expressions within the browser context. This can be used to manipulate page state or access sensitive data within the DOM.
  • [REMOTE_CODE_EXECUTION]: The skill includes a run-code command that executes arbitrary asynchronous Node.js code (using the Playwright API). As shown in references/running-code.md, this capability allows for complex operations such as file system writes (download.saveAs), permission management, and custom network routing.
  • [EXTERNAL_DOWNLOADS]: The SKILL.md file instructs the agent to install an external package globally using npm install -g @playwright/cli@latest. This introduces a dependency on an external registry and potentially untrusted third-party code if the package is compromised or typosquatted.
  • [DATA_EXFILTRATION]: The skill provides multiple tools for accessing and storing sensitive information. The state-save command exports cookies and local storage to JSON files on the local disk. Additionally, references/running-code.md demonstrates how to read the system clipboard using the clipboard-read permission. These capabilities could be combined to harvest and exfiltrate authentication tokens or user data.
  • [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection. It is designed to ingest and process content from arbitrary web pages (via snapshot, content, and allTextContents).
  • Ingestion points: Web page content is ingested through the snapshot command and custom run-code scraping logic in references/running-code.md.
  • Boundary markers: There are no instructions or delimiters provided to the agent to distinguish between its own system instructions and the potentially malicious instructions contained within the scraped web content.
  • Capability inventory: The skill possesses powerful capabilities including arbitrary code execution (run-code), file writing (state-save, screenshot, pdf), and network navigation, which could be abused if the agent follows instructions found on a malicious website.
  • Sanitization: No sanitization or validation of the scraped content is performed before it is presented to the agent's context.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 7, 2026, 08:09 AM
Security Audit — agent-trust-hub — playwright-cli