Back to skill

Security audit

playwright-controller

Security checks across malware telemetry and agentic risk

Overview

This browser capture skill is not clearly malicious, but it needs review because its command loads code from a developer-only path and saves captured page content to disk.

Install only if you are comfortable reviewing or fixing the CLI first. The require path should be changed to the packaged local module before use. Avoid authenticated or sensitive pages unless you intend to save screenshots and extracted text locally, and choose an output folder you can inspect and delete afterward.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior expands beyond simple webpage browsing by persisting screenshots and extracted page text to local disk, using a visible browser by default, and forcing mobile emulation. Those behaviors can capture sensitive content such as authenticated pages, personal data, or session-dependent content without clearly scoping or minimizing data collection, creating privacy and data-handling risk.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The command writes full extracted page content to a local text file even though the stated skill behavior is browsing, fetching, and screenshots. Persisting arbitrary remote content to disk expands the capability from transient retrieval to durable local storage, which can unintentionally retain sensitive data from authenticated pages or internal resources visited through Playwright.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The --dir argument is fully user-controlled and is used directly to create directories and write files, allowing arbitrary local filesystem writes within the privileges of the running process. In an agent skill context, this exceeds the stated browsing purpose and can be abused to drop files into unexpected locations, overwrite adjacent workflow artifacts, or persist scraped data where other components may consume it.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The README encourages automatic screenshot and text extraction to local storage without clearly warning that captured pages may contain personal data, credentials, internal content, or copyrighted material. In a browsing/scraping skill, silent persistence of page content increases the risk of unintended data retention and downstream leakage via local files, logs, or shared workspaces.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill encourages browsing arbitrary URLs and saving screenshots and extracted text locally without warning that pages may contain secrets, personal data, internal content, or regulated information. In an agent environment, automatic persistence of remote content materially increases the risk of unintended local data retention and later disclosure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation advertises visible browser mode with support for manual login, which raises the likelihood that authenticated sessions, account pages, tokens displayed in the UI, or personal information will be captured in screenshots and text extraction. Without prominent warnings or safeguards, users may unintentionally store highly sensitive post-login content to disk.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"node": ">=16.0.0"
  },
  "dependencies": {
    "playwright": "^1.58.2"
  }
}
Confidence
86% confidence
Finding
"playwright": "^1.58.2"

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.