Security Audit

testdino-hq/playwright-skill:playwright-cli

github.com/testdino-hq/playwright-skill

AI SkillCommit 11003e2b63ab

CAUTION

Scanned 7 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

testdino-hq/playwright-skill:playwright-cli received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 1 critical, 3 high, 1 medium, and 0 low severity. Key findings include Arbitrary Code Execution via `run-code` command, JavaScript Injection via `eval` command, Data Exfiltration and Arbitrary File Write via `state-save`, `screenshot`, `pdf` commands.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.

Last analyzed on March 31, 2026 (commit 11003e2b). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

18%

Behavioral Risk Signals

Network Access

2 findings

Filesystem Write

4 findings

Shell Execution

5 findings

Dynamic Code

1 finding

Excessive Permissions

1 finding

Security Findings5

Severity	Finding	Layer	Location
CRITICAL	Arbitrary Code Execution via `run-code` command The `playwright-cli run-code` command allows executing arbitrary JavaScript code within the Playwright browser context. If an attacker can control the code passed to this command, they can perform any action available through the Playwright API, including navigating to malicious sites, exfiltrating sensitive data (cookies, local storage, page content), interacting with the file system (if the Playwright environment allows it), or making network requests. This grants an extremely high level of control over the browser and potentially the underlying system. Restrict or heavily sanitize the input to `run-code`. Consider if this level of arbitrary code execution is truly necessary for the skill's intended purpose. If so, implement strict sandboxing and input validation, and ensure the execution environment is isolated.	LLM	SKILL.md:192
HIGH	JavaScript Injection via `eval` command The `playwright-cli eval` command allows executing arbitrary JavaScript expressions within the context of the currently open browser page. An attacker who can control the expression passed to `eval` could execute malicious JavaScript, leading to data exfiltration (e.g., reading `document.cookie`, `localStorage`, page content), DOM manipulation, or other client-side attacks within the browser's security context. Strictly validate and sanitize any user-supplied input before passing it to the `eval` command. Prefer specific, parameterized commands over generic evaluation where possible to limit the scope of execution.	LLM	SKILL.md:80
HIGH	Data Exfiltration and Arbitrary File Write via `state-save`, `screenshot`, `pdf` commands Commands like `playwright-cli state-save`, `playwright-cli screenshot --filename`, and `playwright-cli pdf --filename` allow saving sensitive browser state (cookies, local storage) or page content (screenshots, PDFs) to arbitrary file paths. If an attacker can control the `file.json` or `--filename` arguments, they could save sensitive data to publicly accessible locations, overwrite critical system files, or exfiltrate data by saving it to a controlled network share or a location that can be later retrieved. Implement strict validation and sanitization for all file paths and filenames. Restrict file operations to a designated, sandboxed directory. Avoid allowing absolute paths or directory traversal characters in user-supplied filenames.	LLM	SKILL.md:130
HIGH	Arbitrary File Upload via `upload` command The `playwright-cli upload <ref> ./file.pdf` command allows uploading local files from the agent's environment to a target web application. If an attacker can control the path to the local file, they could potentially upload sensitive files from the agent's environment, leading to data exfiltration or other attacks depending on the web application's vulnerabilities and the content of the uploaded file. Strictly validate and sanitize the file path provided to the `upload` command. Restrict uploads to a designated, sandboxed directory or disallow uploading arbitrary local files if not strictly necessary.	LLM	SKILL.md:78
MEDIUM	Direct Exposure of Sensitive Browser Data Commands such as `playwright-cli cookie-list`, `localstorage-list`, and `playwright-cli sessionstorage-list` directly expose sensitive browser data (cookies, local storage items, session storage items) to the LLM. While these commands do not directly write to files, the LLM could then process and potentially exfiltrate this information if not handled securely. This data often contains session tokens, authentication details, or other personally identifiable information. Implement strict access controls and logging for commands that expose sensitive data. Ensure that the LLM's output is carefully sanitized and reviewed to prevent inadvertent data leakage. Consider if the LLM truly needs to see the raw values of all these items, or if a more abstract representation would suffice.	LLM	SKILL.md:135

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/a6b2003ec6339ced.svg)](https://skillshield.io/report/a6b2003ec6339ced)