playwright-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). At runtime, bin/context runs playwright-cli run-code to read live page HTML/URL/title and injected window.__capturedConsole/window.__capturedRequests, then ResponseBuilder includes these strings/arrays in the LLM-visible TrimmedResponse and caches them—so any outsider-authored content on the visited site (including attacker-controlled text in DOM/console/network) can flow into the agent context.