partiful
Warn
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill automatically installs the
playwrightframework globally and downloads the Chromium browser environment usingnpm install -g playwrightandnpx playwright install chromiumwithin thescripts/partiful.cljscript. While these are well-known tools from Microsoft, the automated installation of global packages and executable binaries represents a significant system modification. - [COMMAND_EXECUTION]: The skill uses
babashka.process/shellto execute system commands includingnpm,npx, andnode. It also generates a temporary JavaScript file at/tmp/partiful-auth.jsand executes it to perform browser automation tasks. - [CREDENTIALS_UNSAFE]: The authentication process (
authcommand) captures sensitiveAuthorizationheaders and user IDs by intercepting network traffic within a Playwright-controlled browser session. The extracted credentials, including auth tokens and refresh tokens, are stored in plain text on the local file system at~/.partiful-config.edn.
Audit Metadata