playwright-cli
Warn
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill exposes the
run-codeandevalcommands, which enable the execution of arbitrary JavaScript code within the browser automation context. This capability allows for complex interactions, including file system operations such asdownload.saveAs(). - [DATA_EXFILTRATION]: The skill provides tools for accessing and exporting sensitive browser state, including cookies, local storage, and session storage via commands like
state-save,cookie-list, andlocalstorage-get. These can be used to extract authentication tokens or active session identifiers from the browser environment. - [EXTERNAL_DOWNLOADS]: The installation instructions reference downloading the
@playwright/clipackage from the public NPM registry. This is a standard procedure for browser automation tools. - [PROMPT_INJECTION]: The skill processes untrusted content from external websites through navigation and snapshots. This creates an attack surface for indirect prompt injection, where a malicious site could influence the agent's behavior by embedding instructions in the DOM.
- Ingestion points:
playwright-cli goto,playwright-cli snapshot, andplaywright-cli evalinSKILL.mdandreferences/element-attributes.md. - Boundary markers: No explicit markers are used to isolate ingested website content from the agent's instructions.
- Capability inventory: High; includes shell command execution via tools, file system writes, and arbitrary JavaScript execution in the browser context.
- Sanitization: No sanitization of ingested HTML or text is performed before it is presented to the agent for analysis.
Audit Metadata