playwright

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The skill includes examples that embed plaintext credentials directly into CLI commands (e.g., fill e2 "password123"), which encourages emitting secret values verbatim in generated commands and thus creates exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). SKILL.md and references/workflows.md explicitly instruct using the CLI to open arbitrary external URLs (e.g., "pwcli open https://example.com") and to evaluate/extract page content (e.g., pwcli eval "document.title" / el => el.textContent), meaning the agent will fetch and read untrusted third‑party webpages whose content can materially alter subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The wrapper script executes npx --package @playwright/mcp playwright-cli at runtime, which fetches and runs remote code from the npm registry (e.g. https://registry.npmjs.org/) making the skill reliant on externally retrieved code that is executed locally.