Security Audit
playwright-skill
github.com/sickn33/antigravity-awesome-skillsTrust Assessment
playwright-skill received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 14 findings: 7 critical, 4 high, 2 medium, and 1 low severity. Key findings include Arbitrary command execution, File read + network send exfiltration, Unsafe deserialization / dynamic eval.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit e36d6fd3). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings14
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/playwright-skill/lib/helpers.js:174 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/playwright-skill/run.js:15 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/playwright-skill/run.js:38 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | skills/playwright-skill/run.js:39 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/playwright-skill/SKILL.md:7 | |
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/playwright-skill/SKILL.md:8 | |
| CRITICAL | Arbitrary JavaScript Code Execution (Command Injection) The skill is designed to execute arbitrary JavaScript code generated by the host LLM. This presents a critical command injection vulnerability. A malicious prompt could instruct the LLM to generate JavaScript code that uses Node.js modules like 'child_process' to execute arbitrary shell commands, 'fs' to read/write files, or 'net' to exfiltrate data from the host system. The `run.js` script directly takes and executes this untrusted code. Implement a robust sandboxing mechanism (e.g., isolated JavaScript runtime, WebAssembly, or a highly restricted execution environment) to prevent generated code from accessing sensitive system resources or executing arbitrary commands. Alternatively, restrict the allowed JavaScript syntax and API calls to a safe subset. | LLM | run.js:77 | |
| HIGH | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Manifest | skills/playwright-skill/run.js:111 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/playwright-skill/SKILL.md:7 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.claude/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/playwright-skill/SKILL.md:8 | |
| HIGH | Potential Data Exfiltration via Arbitrary Code Execution As a direct consequence of the arbitrary JavaScript code execution vulnerability, the generated code can easily exfiltrate sensitive data. This includes environment variables, local files, or any other data accessible to the Node.js process. The `lib/helpers.js` file explicitly demonstrates accessing `process.env` for headers, which highlights a common target for exfiltration if malicious code is executed. In addition to sandboxing the execution environment, implement strict network egress controls for the skill's process. Monitor and alert on unusual data access patterns or network connections initiated by the skill. Ensure no sensitive data is exposed via environment variables that the skill can access. | LLM | lib/helpers.js:10 | |
| MEDIUM | Unpinned npm dependency version Dependency 'playwright' is not pinned to an exact version ('^1.57.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/playwright-skill/package.json | |
| MEDIUM | Unpinned Dependency Version (Supply Chain Risk) The `package.json` specifies the `playwright` dependency using a caret (`^`) operator, allowing minor and patch updates (`"playwright": "^1.57.0"`). This introduces a supply chain risk, as a malicious update to a future version of Playwright or its sub-dependencies could be automatically installed and executed without explicit review, potentially introducing vulnerabilities or backdoors. Pin all dependencies to exact versions (e.g., `"playwright": "1.57.0"`) to ensure deterministic builds and prevent unexpected changes from upstream packages. Use a dependency lock file (e.g., `package-lock.json`) and regularly audit dependencies for known vulnerabilities. | LLM | package.json:16 | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Dependencies | skills/playwright-skill/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/7309ade064be8eeb)
Powered by SkillShield