Trust Assessment
outlook-web received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 1 critical, 1 high, 1 medium, and 0 low severity. Key findings include Potential for JavaScript Injection via `playwright-cli run-code`, Potential for Shell Command Injection via `playwright-cli` arguments, Broad `playwright-cli` permissions granted.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential for JavaScript Injection via `playwright-cli run-code` The skill demonstrates the use of `playwright-cli run-code` to execute arbitrary JavaScript within the browser context. If an AI agent constructs the JavaScript code for `run-code` by directly embedding untrusted user input without proper sanitization, an attacker could inject malicious JavaScript. This could lead to data exfiltration (e.g., `document.cookie`, `localStorage`), manipulation of the browser state, or other client-side attacks within the Outlook Web session. When generating `playwright-cli run-code` commands, ensure that any user-provided input embedded into the JavaScript string is rigorously sanitized and escaped to prevent JavaScript injection. Consider using parameterized functions within the `run-code` context if `playwright-cli` supports it, or strictly validate and escape all dynamic content. | LLM | SKILL.md:169 | |
| HIGH | Potential for Shell Command Injection via `playwright-cli` arguments The skill uses `playwright-cli` commands with arguments such as URLs, selectors, and text content (e.g., `open`, `fill`, `click`). If an AI agent constructs these commands by directly embedding untrusted user input into the arguments without proper shell escaping, an attacker could inject arbitrary shell commands. This could lead to execution of malicious commands on the host system, potentially compromising the agent or the environment. When generating `playwright-cli` commands, ensure that all user-provided input used as arguments (especially for `open`, `fill`, `click`, `keyboard`, etc.) is properly shell-escaped to prevent command injection. Use a robust escaping mechanism appropriate for the shell environment. | LLM | SKILL.md:108 | |
| MEDIUM | Broad `playwright-cli` permissions granted The skill declares `Bash(playwright-cli:*)` permissions, granting full access to all `playwright-cli` subcommands. `playwright-cli` is a powerful browser automation tool capable of executing arbitrary JavaScript (via `run-code`), interacting with the filesystem (e.g., screenshots, downloads), and making network requests. While necessary for the skill's functionality, this broad permission scope, combined with potential injection vulnerabilities, increases the attack surface and the impact of a successful exploit. If possible, restrict `playwright-cli` permissions to only the specific subcommands and arguments absolutely necessary for the skill's operation. For example, if `run-code` is not strictly needed for all operations, consider a more granular permission. However, given the nature of browser automation, this might be challenging. Focus on robust input sanitization to mitigate the risks associated with these broad permissions. | LLM | Manifest |
Scan History
Embed Code
[](https://skillshield.io/report/01aba49237641152)
Powered by SkillShield