Trust Assessment
playwright-browser-automation received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 6 findings: 2 critical, 2 high, 2 medium, and 0 low severity. Key findings include Excessive Permissions via Sudoers NOPASSWD, Prompt Injection / Data Exfiltration via Arbitrary JavaScript Execution (browser_evaluate), Credential Harvesting via Unrestricted Auth State Storage.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings6
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Excessive Permissions via Sudoers NOPASSWD The skill documentation suggests configuring `sudoers` to allow `npx playwright install-deps` and `npx playwright install` to run as root without a password. This grants significant privilege escalation to the user running the agent, allowing them to install system-level dependencies or browsers with root privileges without further authentication. If `npx playwright` can be exploited or tricked into executing arbitrary commands, this NOPASSWD rule makes the system highly vulnerable. Avoid using NOPASSWD for commands that can install system dependencies. Implement more granular sudo rules, run the agent as a less privileged user, or require explicit password confirmation for such operations. | LLM | SKILL.md:290 | |
| CRITICAL | Prompt Injection / Data Exfiltration via Arbitrary JavaScript Execution (browser_evaluate) The `browser_evaluate` tool, as demonstrated in `examples.py`, allows arbitrary JavaScript code to be passed as a string and executed within the browser context. If the `script` parameter is derived from untrusted user input (e.g., an LLM generating the script based on a prompt), an attacker could inject malicious JavaScript. This could lead to data exfiltration (reading cookies, local storage, DOM content), unauthorized actions on web pages, or other browser-based attacks. Strictly validate and sanitize any JavaScript code generated from untrusted input before passing it to `browser_evaluate`. Consider using a more constrained API for data extraction or interaction, or implement a secure sandboxing mechanism for JavaScript execution. | LLM | examples.py:80 | |
| HIGH | Credential Harvesting via Unrestricted Auth State Storage The `context.storageState({ path: 'auth.json' })` example demonstrates saving browser authentication state (cookies, local storage) to a local file. If the `path` argument is controllable by untrusted input, an attacker could specify an arbitrary path, leading to: 1) saving sensitive authentication data to an insecure or publicly accessible location, or 2) overwriting critical system files with authentication data, potentially causing denial of service or further compromise. Sanitize and restrict file paths for saving authentication state. Ensure that the path is within a secure, agent-controlled directory and not user-specifiable. Consider encrypting stored authentication data. | LLM | SKILL.md:200 | |
| HIGH | Prompt Injection / Data Exfiltration via Arbitrary JavaScript Execution (page.evaluate) The `page.evaluate()` and `page.waitForFunction()` methods allow arbitrary JavaScript code to be executed within the context of the browsed page. If the JavaScript code is derived from untrusted input (e.g., an LLM generating the script based on a user prompt), it could lead to prompt injection, allowing an attacker to exfiltrate sensitive data from the visited website (cookies, local storage, DOM content) or perform unintended actions within the browser. Strictly validate and sanitize any JavaScript code generated from untrusted input before passing it to `page.evaluate` or `page.waitForFunction`. Implement a secure sandboxing mechanism or limit the scope of JavaScript execution. | LLM | SKILL.md:137 | |
| MEDIUM | Data Exfiltration / Arbitrary File Overwrite via Unrestricted File Writes The skill demonstrates writing various files to the local filesystem, including screenshots (`page.screenshot`), PDFs (`page.pdf`), and downloaded files (`download.saveAs`). If the `path` argument for these operations is controllable by untrusted input, an attacker could specify arbitrary file paths. This could lead to: 1) data exfiltration by writing sensitive data to publicly accessible directories, or 2) overwriting critical system files, potentially causing denial of service or further compromise. Sanitize and restrict file paths for all write operations. Ensure that files are written only to agent-controlled, secure directories. Implement checks to prevent overwriting existing files or writing to sensitive system locations. | LLM | SKILL.md:150 | |
| MEDIUM | Weakened Browser Security via CSP Bypass The `bypassCSP: true` configuration option explicitly disables Content Security Policy (CSP) for the browser context. While this might be necessary for certain automation tasks, it significantly weakens the browser's security posture. If combined with other vulnerabilities, such as arbitrary JavaScript execution, bypassing CSP makes it easier for an attacker to inject and execute malicious scripts, increasing the risk of data exfiltration and other client-side attacks. Avoid bypassing CSP unless absolutely necessary. If required, ensure that other security measures are in place to mitigate the increased risk, especially when processing untrusted content or executing dynamic scripts. | LLM | SKILL.md:269 |
Scan History
Embed Code
[](https://skillshield.io/report/4afcd8ab85bd5cd2)
Powered by SkillShield