playwright-cli
Pass
Audited by Gen Agent Trust Hub on May 18, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFEREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill interacts with the host system by executing commands through the
playwright-clitool using the Bash tool. This allows for broad browser control but is scoped to the specific CLI tool as per theallowed-toolsconfiguration.\n- [REMOTE_CODE_EXECUTION]: Therun-codeandevalcommands allow the agent to execute arbitrary JavaScript within the browser context. This is a core feature for advanced automation but provides a vector for executing complex logic that could be used for data extraction or unauthorized actions within the web session.\n- [CREDENTIALS_UNSAFE]: The skill provides extensive capabilities for managing authentication states, including listing, getting, setting, and saving cookies and localStorage (e.g.,cookie-get,state-save). If an agent is directed to malicious sites, these commands could be used to expose or exfiltrate session tokens and sensitive user data.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection. It fetches and processes content from external websites (viasnapshot,eval, orrun-code), which could contain hidden instructions intended to override the agent's behavior.\n - Ingestion points: Data entered into the agent context via browser snapshots and element evaluation in
SKILL.mdandreferences/running-code.md.\n - Boundary markers: None present in the instructions to separate untrusted web content from agent instructions.\n
- Capability inventory: The skill can execute arbitrary browser code, manage cookies, and save state files to the local file system.\n
- Sanitization: No sanitization or validation of the extracted web content is performed before it is processed by the agent.
Audit Metadata