run-playwright
Pass
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill establishes an environment that is susceptible to indirect prompt injection because its core functionality requires the agent to ingest and interpret data from external, untrusted websites.\n
- Ingestion points: Untrusted content is processed through accessibility-tree snapshots and browser artifact logs (console and network) stored in the
.playwright-cli/directory.\n - Boundary markers: The instructions do not provide explicit delimiters or system-level guidance to help the agent differentiate between trusted instructions and potentially malicious content embedded in web data.\n
- Capability inventory: The agent has a broad range of capabilities, including executing shell commands via the Playwright CLI, running arbitrary JavaScript in the browser context using the
run-codecommand, and managing local files.\n - Sanitization: No sanitization or validation of the data retrieved from external sources is implemented before the agent processes and acts upon it.\n- [DATA_EXFILTRATION]: The skill provides patterns for accessing sensitive browser data, such as session cookies, local storage, and structured DOM content. While documented for legitimate purposes like authentication persistence and data extraction, this information enters the agent's context and represents a data exposure surface.\n- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to install the
@anthropic-ai/playwright-clipackage and associated browser binaries. These downloads originate from a well-known and trusted organization.
Audit Metadata