Skills
skills/testdino-hq/playwright-skill/playwright-cli/Gen Agent Trust Hub

playwright-cli

Warn

Audited by Gen Agent Trust Hub on Apr 14, 2026

Risk Level: MEDIUMREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The playwright-cli run-code and playwright-cli eval commands allow for the execution of arbitrary JavaScript code within the browser context and the tool's execution environment. This provides a direct mechanism for the agent to execute unverified logic beyond the pre-defined CLI commands.
  • [DATA_EXFILTRATION]: The skill can access sensitive browser data, including cookies, localStorage, and session storage via commands like cookie-get and localstorage-get. It also includes patterns for reading the system clipboard using navigator.clipboard.readText() within run-code blocks.
  • [DATA_EXFILTRATION]: The tool facilitates writing sensitive data to the local file system. Specifically, the state-save command exports all session cookies and local storage items to a JSON file, and other commands allow saving screenshots, PDFs, and video recordings to local paths.
  • [COMMAND_EXECUTION]: The skill makes extensive use of the playwright-cli tool to interact with the system and browser. This includes process management and file system operations that are necessary for browser automation but expand the agent's capability to modify the local environment.
  • [PROMPT_INJECTION]: The skill has a significant attack surface for indirect prompt injection when navigating to untrusted websites, as it ingests and processes third-party page content.
  • Ingestion points: External URLs and page content are ingested via open, goto, snapshot, and eval commands as documented in SKILL.md and core-commands.md.
  • Boundary markers: The documentation includes a "Security" section in SKILL.md that warns users to only target authorized applications and treat extracted text as untrusted data.
  • Capability inventory: The skill possesses capabilities for arbitrary JavaScript execution (run-code), file system writes (state-save, screenshot), and access to sensitive browser storage.
  • Sanitization: The documentation suggests manual sanitization of extracted content but does not provide automated validation mechanisms within the tool itself.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 14, 2026, 03:44 PM
Security Audit — agent-trust-hub — playwright-cli