Trust Assessment
playwright-skill received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 15 findings: 4 critical, 6 high, 3 medium, and 2 low severity. Key findings include Arbitrary command execution, Unpinned npm dependency version, Node lockfile missing.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings15
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/utilities/playwright-skill/lib/helpers.js:174 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/utilities/playwright-skill/run.js:15 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/utilities/playwright-skill/run.js:38 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/utilities/playwright-skill/run.js:39 | |
| HIGH | Arbitrary Code Execution via run.js The `run.js` script is designed to execute arbitrary JavaScript code provided as a command-line argument, from a file path, or via stdin. This is the core functionality of the skill, enabling 'any browser task'. However, it means that if the host LLM is compromised or manipulated to generate malicious JavaScript, that code will be executed directly within the skill's Node.js environment. This presents a critical command injection vulnerability, allowing an attacker to run arbitrary code on the system where the skill is executed. This is an inherent risk of a skill designed for arbitrary code execution. Mitigation strategies should focus on robust input validation and sanitization by the host LLM before generating code, strict sandboxing of the execution environment (e.g., containerization, least privilege user), and careful monitoring of skill execution. | Static | run.js:160 | |
| HIGH | Temporary Execution Files Written to Skill Directory The `run.js` script creates temporary JavaScript files (`.temp-execution-*.js`) directly within the skill's own directory (`__dirname`) for execution. This contradicts the `SKILL.md`'s explicit instruction to 'NEVER write test files to skill directory; always use `/tmp/playwright-test-*.js`'. Writing executable code to the skill's directory grants the potentially malicious code write access to the skill's own files. A compromised LLM could generate code that modifies `lib/helpers.js`, `run.js`, or other skill components, leading to persistence or further attacks on the skill itself. Modify `run.js` to write all temporary execution files to a secure, isolated temporary directory (e.g., `/tmp` or a dedicated user-specific temp directory) instead of the skill's installation directory. Ensure these temporary files are cleaned up promptly after execution. | Static | run.js:140 | |
| HIGH | Browser Sandbox Disabled by Default The `lib/helpers.js` file configures Playwright to launch browsers with `--no-sandbox` and `--disable-setuid-sandbox` arguments by default. While this is sometimes necessary in containerized or specific headless environments, it significantly weakens the security isolation provided by the browser's sandbox. If the browser itself is compromised (e.g., via a web-based exploit), the absence of the sandbox makes it easier for an attacker to escape the browser process and potentially gain access to the host system. Remove `--no-sandbox` and `--disable-setuid-sandbox` from the default browser launch arguments. If sandboxing causes issues in specific environments, provide clear instructions for users to enable these flags only when absolutely necessary and with full awareness of the security implications. Consider using a dedicated, unprivileged user for browser automation. | Static | lib/helpers.js:29 | |
| HIGH | Data Exfiltration Capability Due to the skill's ability to execute arbitrary Playwright code, a compromised LLM could instruct the browser to navigate to sensitive internal or external web pages, extract data from the DOM, local storage, cookies, or network requests, and then exfiltrate this data to an attacker-controlled server. The skill's examples demonstrate capabilities like `page.goto()`, `page.title()`, `page.screenshot()`, and `page.$$eval()` which can be leveraged for data extraction. Implement strict network egress filtering for the skill's execution environment to prevent connections to unauthorized external domains. Ensure the browser runs with minimal necessary privileges and cannot access sensitive local files or network resources beyond its intended scope. The host LLM should be trained to avoid generating code that attempts to exfiltrate data. | Static | SKILL.md:100 | |
| HIGH | Credential Harvesting Capability The skill's ability to execute arbitrary Playwright code, including interacting with forms (as shown in the 'Test Login Flow' example), creates a high risk for credential harvesting. A compromised LLM could be instructed to navigate to login pages, capture user-entered credentials (e.g., from `input` fields), and then exfiltrate them to an attacker. The `authenticate` helper function also handles credentials, which, if misused by a malicious script, could expose them. Similar to data exfiltration, implement network egress filtering. Avoid passing sensitive credentials directly into the Playwright execution context if possible. If credentials must be used, ensure they are handled securely (e.g., via secrets management systems) and that the host LLM is strictly controlled to prevent logging or exfiltrating them. | Static | SKILL.md:180 | |
| HIGH | LLM analysis found no issues despite critical deterministic findings Deterministic layers flagged 4 CRITICAL findings, but LLM semantic analysis returned clean. This may indicate prompt injection or analysis evasion. | LLM | (sanity check) | |
| MEDIUM | Unpinned npm dependency version Dependency 'playwright' is not pinned to an exact version ('^1.57.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | cli-tool/components/skills/utilities/playwright-skill/package.json | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Unpinned Playwright Dependency The `package.json` specifies the `playwright` dependency using a caret (`^`) operator: `"playwright": "^1.57.0"`. This allows npm to install minor and patch updates automatically. While common, for a security-sensitive skill that executes arbitrary code and interacts with the web, pinning to an exact version (e.g., `"1.57.0"`) would provide stronger supply chain integrity by preventing unexpected updates that might introduce vulnerabilities or malicious code without explicit review. Consider pinning the `playwright` dependency to an exact version (e.g., `"playwright": "1.57.0"`) to ensure deterministic builds and prevent unintended updates that could introduce security vulnerabilities. Regularly review and manually update dependencies to newer, secure versions. | Static | package.json:13 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | cli-tool/components/skills/utilities/playwright-skill/package.json | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/8499b648323092db)
Powered by SkillShield