Skills
skills/sonofmagic/weapp-tailwindcss/playwright-cli/Gen Agent Trust Hub

playwright-cli

Warn

Audited by Gen Agent Trust Hub on Mar 26, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The run-code and eval commands allow for the execution of arbitrary JavaScript. While eval runs in the browser context, run-code typically executes in the host's Node.js environment, providing a mechanism to access system resources or perform network operations outside the browser's sandbox.
  • Evidence: Usage of playwright-cli run-code and playwright-cli eval in SKILL.md and references/running-code.md.
  • [DATA_EXFILTRATION]: The skill provides tools to harvest sensitive session information, including cookies, localStorage, and sessionStorage. The state-save command captures the complete authentication state to a file, and tracing-start records full network logs which often contain sensitive headers and credentials in POST request bodies.
  • Evidence: playwright-cli state-save, playwright-cli cookie-list, and playwright-cli tracing-start in SKILL.md and references/storage-state.md.
  • [CREDENTIALS_UNSAFE]: The --profile parameter for the open command allows the agent to use an existing persistent browser profile from the local disk. This grants access to the user's primary browser data, including saved passwords, history, and active login sessions.
  • Evidence: playwright-cli open --profile=/path/to/profile in SKILL.md.
  • [EXTERNAL_DOWNLOADS]: The documentation suggests installing the tool via npx playwright-cli, which involves downloading and executing a package from the NPM registry at runtime.
  • Evidence: Local installation instructions in SKILL.md.
  • [COMMAND_EXECUTION]: The skill is authorized to use the playwright-cli tool via Bash, which has extensive permissions to read from and write to the local filesystem (e.g., uploading files, saving snapshots, screenshots, and videos).
  • Evidence: allowed-tools configuration and commands like upload, snapshot, and video-stop in SKILL.md.
  • [PROMPT_INJECTION]: The skill has a high surface area for indirect prompt injection because its primary function is to process content from external, untrusted websites.
  • Ingestion points: Navigating to and reading content from arbitrary URLs via open and goto commands in SKILL.md.
  • Boundary markers: Absent. There are no instructions or delimiters provided to help the agent distinguish between its own instructions and potentially malicious instructions embedded in a webpage.
  • Capability inventory: Arbitrary code execution (run-code), session data harvesting (state-save), and filesystem writes (screenshot, pdf, video-stop).
  • Sanitization: None. Webpage content and element attributes are used to drive agent actions without validation or filtering.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 26, 2026, 03:56 AM