Trust Assessment
playwright-skill received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 5 critical, 1 high, 2 medium, and 1 low severity. Key findings include Arbitrary command execution, Unsafe deserialization / dynamic eval, Unpinned npm dependency version.
The analysis covered 4 layers: dependency_graph, static_code_analysis, manifest_analysis, llm_behavioral_safety. The manifest_analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit f4b5c7d6). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python dynamic code execution (exec/eval/compile) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-qk95nui_/repo/packages/skills-catalog/skills/(web-automation)/playwright-skill/lib/helpers.js:174 | |
| CRITICAL | Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-qk95nui_/repo/packages/skills-catalog/skills/(web-automation)/playwright-skill/run.js:15 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-qk95nui_/repo/packages/skills-catalog/skills/(web-automation)/playwright-skill/run.js:38 | |
| CRITICAL | Arbitrary command execution Node.js synchronous shell execution Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-qk95nui_/repo/packages/skills-catalog/skills/(web-automation)/playwright-skill/run.js:39 | |
| CRITICAL | Arbitrary Code Execution via LLM-Generated Playwright Scripts The skill's primary function, as described in `SKILL.md`, is to generate and execute arbitrary JavaScript code based on user requests. The instruction 'I'll write custom Playwright code for any automation task you request and execute it via the universal executor' explicitly directs the LLM to create and run code. The `run.js` script then takes this generated code (either from a temporary file or inline argument) and executes it using Node.js via `require(tempFile);`. This design allows a malicious user to craft prompts that cause the LLM to generate and execute arbitrary JavaScript code on the host system, leading to full system compromise, data exfiltration, or other malicious activities. The core design of executing LLM-generated code is inherently risky. Implement a robust sandbox environment (e.g., a containerized execution environment with strict network and filesystem policies) for executing generated code. Alternatively, restrict the LLM's ability to generate arbitrary code, instead providing a limited set of safe, pre-defined functions or templates that the LLM can parameterize, and validate all parameters rigorously. | Unknown | SKILL.md:14 | |
| HIGH | Playwright Browser Sandbox Disabled by Default The `launchBrowser` helper function in `lib/helpers.js` explicitly disables the Playwright browser sandbox by default using `args: ['--no-sandbox', '--disable-setuid-sandbox']`. While this configuration is sometimes used in containerized or CI/CD environments, it significantly reduces the security posture of the browser process. If a malicious website is visited (e.g., through a crafted URL provided in a prompt), a browser exploit could more easily escape the browser process and affect the host system, especially when combined with the skill's capability for arbitrary code execution. Only disable the browser sandbox if absolutely necessary and in a strictly controlled environment. For general use, remove these arguments to allow the browser to run with its default security sandboxing. If running in a container, ensure the container itself provides sufficient isolation. | Unknown | lib/helpers.js:39 | |
| MEDIUM | Unsafe deserialization / dynamic eval Decryption followed by code execution Remove obfuscated code execution patterns. Legitimate code does not need base64-encoded payloads executed via eval, encrypted-then-executed blobs, or dynamic attribute resolution to call system functions. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-qk95nui_/repo/packages/skills-catalog/skills/(web-automation)/playwright-skill/run.js:111 | |
| MEDIUM | Unpinned npm dependency version Dependency 'playwright' is not pinned to an exact version ('^1.57.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-qk95nui_/repo/packages/skills-catalog/skills/(web-automation)/playwright-skill/package.json | |
| LOW | Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution. | Unknown | /var/folders/1k/67b8r20n777f_xcmmm8b7m5h0000gn/T/skillscan-clone-qk95nui_/repo/packages/skills-catalog/skills/(web-automation)/playwright-skill/package.json |
Scan History
Embed Code
[](https://skillshield.io/report/a2764da7c5111895)
Powered by SkillShield