playwright-cli
Warn
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on the
playwright-clibinary to perform browser-based operations via the system shell.\n- [REMOTE_CODE_EXECUTION]: Therun-codecommand allows the agent to execute arbitrary JavaScript/Playwright code within the browser context, which can be used to perform complex logic that bypasses standard CLI command limitations. Evidence:playwright-cli run-code "async page => { ... }"inreferences/running-code.md.\n- [DATA_EXFILTRATION]: The skill includes extensive functionality to retrieve sensitive session data, such as cookies, local storage, and clipboard content. Evidence:playwright-cli cookie-listandplaywright-cli state-save auth.jsoninreferences/storage-state.md, and clipboard access examples inreferences/running-code.md.\n- [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection as it ingests untrusted content from web pages.\n - Ingestion points:
playwright-cli snapshot,playwright-cli eval, and the browser DOM accessed viarun-code.\n - Boundary markers: Absent; there are no instructions for the agent to treat website content as untrusted or to ignore embedded instructions.\n
- Capability inventory: Shell command execution (
playwright-cli), file system writes (state-save,screenshot), and full network access (inherent to browser automation).\n - Sanitization: Absent; the skill does not implement or describe methods for sanitizing data retrieved from the web before processing.\n- [EXTERNAL_DOWNLOADS]: The skill provides commands to download and install browser binaries and external skill components. Evidence:
playwright-cli install-browserandplaywright-cli install --skillsinSKILL.md.
Audit Metadata