essential-tools

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). The skill content includes explicit, actionable instructions and example payloads that perform data exfiltration, credential theft (including cloud metadata retrieval), automated credential stuffing, and remote command execution/download — patterns that clearly enable deliberate malicious abuse if used against unauthorized targets.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The Playwright automation workflow explicitly instructs the agent to navigate to and inspect arbitrary web pages (e.g., playwright_navigate / playwright_snapshot / playwright_evaluate in reference/playwright-automation.md) and the cheat sheet references using Burp Collaborator and external URLs, meaning the agent will fetch and interpret untrusted public web content as part of its runtime workflow, which could enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly configures a runtime command that uses npx to fetch and execute the Playwright MCP server (an external package) and links to its repo (https://github.com/executeautomation/playwright-mcp-server), so remote code is fetched-and-run at runtime and is a required dependency for the Playwright automation described.