run-playwright

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill's workflow (SKILL.md and references/navigation.md / references/patterns.md) explicitly instructs the agent to open arbitrary public URLs (open ), run eval/run-code against page DOM, and extract/act on data from web pages (multi-page scraping, data extraction, OAuth popups), which clearly ingests untrusted third-party content that can influence subsequent actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill's bootstrap step instructs running "which playwright-cli || npm install -g @anthropic-ai/playwright-cli@latest" which will fetch and install remote code (the @anthropic-ai/playwright-cli package) at runtime and is a required dependency that executes remote code.