Skills
skills/willmarple/vue-conf-26-slides/playwright-skill/Gen Agent Trust Hub

playwright-skill

Fail

Audited by Gen Agent Trust Hub on Jun 24, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The bin/open script is vulnerable to command injection. It interpolates the current working directory name ($DIR_NAME) directly into a Python command executed via python3 -c without any sanitization. An attacker could craft a directory name containing malicious Python code that would execute when the agent initializes a session.\n- [COMMAND_EXECUTION]: Interaction scripts including bin/click-css, bin/fill-css, and bin/upload are vulnerable to injection attacks. Input parameters (selectors and values) are interpolated into a JavaScript string for the playwright-cli run-code command. The escaping logic used (${VAR//'/''}) is a no-op that fails to sanitize single quotes, allowing an attacker to break out of the string literal and execute arbitrary Playwright JavaScript in the browser.\n- [DATA_EXFILTRATION]: The skill provides tools (bin/auth-save, bin/context) to capture and store sensitive browser data, including session cookies, localStorage, and full HTML source code. This data is stored in the .playwright-skill/ directory and cache. If the agent is compromised via indirect prompt injection, these tools could be used to exfiltrate session tokens or sensitive page content.\n- [REMOTE_CODE_EXECUTION]: The skill relies on playwright-cli run-code, which permits the execution of arbitrary JavaScript within the browser. While intended as a developer escape hatch, the lack of input sanitization in the wrapper scripts makes this a high-risk capability that can be abused for cross-site scripting or data theft.\n- [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection. It ingests untrusted data from web pages (via HTML snapshots and accessibility trees) and provides powerful capabilities like run-code and file uploads. Malicious instructions embedded in a website's content could trigger the agent to perform unauthorized actions or exfiltrate data without user intervention.\n
  • Ingestion points: src/capture.ts (reads HTML, console logs, and ARIA snapshots from the browser)\n
  • Boundary markers: None detected; data is processed and stored in plain text or YAML/JSON formats\n
  • Capability inventory: playwright-cli run-code, bin/upload, bin/click-css, bin/auth-save\n
  • Sanitization: No sanitization or filtering of external content before processing or interpolation into agent prompts.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 24, 2026, 12:54 AM
Security Audit — agent-trust-hub — playwright-skill