Playwright CLI Browser Automation
Warn
Audited by Gen Agent Trust Hub on May 10, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill includes a
run-codecommand (documented inreferences/running-code.md) which allows the agent to execute arbitrary JavaScript and Playwright code within the browser context. This provides significant control over the browser session and potential access to the execution environment. - [DATA_EXFILTRATION]: The skill provides commands to access and save sensitive browser data, including
cookie-get,localstorage-get, andstate-save(found inreferences/storage-state.md). This enables the retrieval of authentication tokens and session identifiers, which could be exfiltrated if the agent is compromised. - [COMMAND_EXECUTION]: The skill operates by executing shell commands via the
playwright-clitool. This creates a potential surface for command injection if untrusted parameters from web pages are passed to the CLI without proper validation. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes content from arbitrary websites.
- Ingestion points: Browser snapshots and page content ingested via
playwright-cli snapshotandplaywright-cli open(referenced inSKILL.md). - Boundary markers: Absent; the instructions do not provide delimiters or warnings to help the agent distinguish between its instructions and untrusted data from the web.
- Capability inventory: The skill includes high-impact capabilities such as arbitrary code execution (
run-code), file uploading (upload), and browser state manipulation (state-load,cookie-set). - Sanitization: Absent; there is no evidence of validation or sanitization of the data retrieved from web pages before it is processed by the agent.
Audit Metadata