Trust Assessment
playwright-cli received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 1 medium, and 1 low severity. Key findings include Arbitrary JavaScript execution via playwright-cli run-code, Arbitrary URL navigation capability, Data capture via screenshot and PDF generation.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 46/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary JavaScript execution via playwright-cli run-code The skill exposes the `playwright-cli run-code <code>` command, which allows an agent to execute arbitrary JavaScript within the context of the currently open browser page. If an agent is prompted with untrusted input, this capability could be exploited to perform cross-site scripting (XSS) like attacks, exfiltrate sensitive data (e.g., cookies, local storage, DOM content), or manipulate the page in malicious ways. This is a direct command injection vector through the tool. Implement strict input validation and sanitization for the `<code>` argument when using `playwright-cli run-code`. Consider if this command is truly necessary for the agent's intended function, or if more constrained browser interaction methods can be used. If retained, ensure the agent's LLM is robustly guarded against generating malicious JavaScript. | LLM | SKILL.md:69 | |
| HIGH | Arbitrary URL navigation capability The skill allows opening arbitrary URLs via `playwright-cli open <url>`. While fundamental for a browser automation tool, if an agent is prompted with a malicious or untrusted URL, it could navigate to phishing sites, sites hosting malware, or sites designed to exploit browser vulnerabilities. This poses a significant risk for data exfiltration, credential harvesting, or system compromise. Implement strict URL validation and allow-listing for URLs that the agent is permitted to open. Ensure the agent's LLM is trained to identify and reject suspicious URLs. Consider sandboxing the browser environment or running it in a highly restricted network segment. | LLM | SKILL.md:20 | |
| MEDIUM | Data capture via screenshot and PDF generation The skill provides commands `playwright-cli screenshot` and `playwright-cli pdf` which can capture the visual content of the browser page or save it as a PDF. If an agent is instructed to navigate to a page containing sensitive information (e.g., personal data, financial details, internal documents) and then use these commands, the captured data could be exfiltrated. This represents a data exfiltration risk. Ensure that the agent is not permitted to visit or capture content from sensitive internal systems or pages containing PII. Implement content analysis on captured screenshots/PDFs if they are to be stored or transmitted, to detect and redact sensitive information. | LLM | SKILL.md:55 | |
| LOW | Unpinned dependency in installation instructions The installation instruction `npm install -g @playwright/mcp@latest` uses the `@latest` tag instead of a specific version. While `@latest` typically points to the most recent stable release, it is not a pinned version. This introduces a supply chain risk where a future, potentially compromised or breaking, version of the package could be installed without explicit review, leading to unexpected behavior or security vulnerabilities. Pin the dependency to a specific, known-good version (e.g., `npm install -g @playwright/mcp@1.x.x`) to ensure deterministic installations and mitigate risks from unexpected updates or malicious package injections into the 'latest' tag. | LLM | SKILL.md:12 |
Scan History
Embed Code
[](https://skillshield.io/report/c9849f32053520eb)
Powered by SkillShield