Trust Assessment
playwright-mcp received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 0 critical, 3 high, 0 medium, and 0 low severity. Key findings include Arbitrary JavaScript execution via `browser_evaluate`, File upload capability via `browser_choose_file`, Arbitrary file write via `--output-dir`.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 55/100, indicating areas for improvement.
Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| HIGH | Arbitrary JavaScript execution via `browser_evaluate` The `browser_evaluate` tool allows executing arbitrary JavaScript code within the context of the browsed web page. If an attacker can control the `script` argument passed to this tool, they can inject malicious JavaScript to exfiltrate sensitive data (e.g., cookies, local storage, DOM content, user input), bypass client-side security policies, or perform other malicious actions within the browser. While the skill mentions sandboxing and host validation, the capability itself is very powerful and requires careful input sanitization by the calling agent. The calling agent must strictly sanitize or validate any user-provided input before passing it as the `script` argument to `browser_evaluate`. Consider using an allowlist of safe scripts or a sandboxed environment if user-provided scripts are necessary. Implement robust output validation to prevent data leakage. | LLM | SKILL.md:60 | |
| HIGH | File upload capability via `browser_choose_file` The `browser_choose_file` tool allows the agent to upload local files to a web page. If an attacker can control the file path argument, they could potentially force the agent to upload sensitive local files, leading to data exfiltration. Although the skill mentions "restricts file system access to workspace root" by default, this capability still poses a risk if the workspace root contains sensitive data or if the restriction can be bypassed. The calling agent must strictly validate and sanitize any file paths provided by untrusted input to `browser_choose_file`. Ensure that only explicitly allowed files or files within a secure, isolated directory can be selected for upload. | LLM | SKILL.md:64 | |
| HIGH | Arbitrary file write via `--output-dir` The `--output-dir` configuration option allows specifying an arbitrary directory for saving browser output (e.g., screenshots, traces, videos). If an attacker can control this argument, they could potentially direct the skill to write files to sensitive locations on the host system, leading to data leakage, overwriting critical files, or consuming disk space. Although the skill mentions "restricts file system access to workspace root" by default, this capability still poses a risk if the workspace root is not sufficiently isolated or if the restriction can be bypassed. The calling agent must strictly validate and sanitize any directory paths provided by untrusted input for the `--output-dir` option. Ensure that output is only written to a secure, isolated, and ephemeral directory. | LLM | SKILL.md:90 |
Scan History
Embed Code
[](https://skillshield.io/report/ce71a761373518ee)
Powered by SkillShield