Skills
skills/sonofmagic/skills/playwright-cli/Gen Agent Trust Hub

playwright-cli

Warn

Audited by Gen Agent Trust Hub on May 8, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill documents the use of run-code and eval commands which allow for the execution of arbitrary JavaScript within the browser context. This capability can be leveraged to interact with web pages in ways that could be malicious if triggered by untrusted inputs.
  • Evidence (SKILL.md): playwright-cli run-code "async page => { ... }" and playwright-cli eval "document.title".
  • [DATA_EXFILTRATION]: The skill provides explicit commands to list, retrieve, and save sensitive browser session data, including cookies, localStorage, and sessionStorage. This could be used to harvest authentication tokens from sites the agent visits.
  • Evidence (SKILL.md, storage-state.md): playwright-cli cookie-get session_id, playwright-cli localstorage-list, and playwright-cli state-save auth.json.
  • [COMMAND_EXECUTION]: The skill instructions provide for the installation of global Node.js packages and the execution of arbitrary commands via npm and npx.
  • Evidence (SKILL.md): npm install -g @playwright/cli@latest and npx --no-install playwright-cli --version.
  • [EXTERNAL_DOWNLOADS]: The skill references the installation of an external package @playwright/cli, which does not appear to be an official Microsoft Playwright package and may be a reference error or an unverifiable source.
  • Evidence (SKILL.md): npm install -g @playwright/cli@latest.
  • [PROMPT_INJECTION]: As a tool designed to navigate and snapshot the live web, the skill is highly susceptible to indirect prompt injection. Malicious instructions embedded in a website's HTML could be ingested by the agent and used to trigger the tool's sensitive capabilities.
  • Evidence (SKILL.md): playwright-cli snapshot, playwright-cli goto https://example.com/.
  • Indirect Prompt Injection Surface Analysis:
  • Ingestion points: Page content is ingested via snapshot, open, and goto commands in SKILL.md.
  • Boundary markers: Absent; the instructions do not provide delimiters or warnings to the agent regarding untrusted browser content.
  • Capability inventory: Extensive browser interaction, storage manipulation, and script execution capabilities are available to the agent.
  • Sanitization: Absent; snapshots and evaluations of the DOM are passed directly into the agent's context.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 8, 2026, 05:48 PM