Back to skill

Security audit

Playwright Cli

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Playwright browser automation skill, but it needs Review because it exposes browser sessions, auth tokens, recordings, and arbitrary code execution without enough safety scoping or warnings.

Install only if you intend to let the agent drive browser sessions for testing. Use test accounts where possible, avoid production authenticated sessions, treat auth.json, cookies, traces, screenshots, videos, and network logs as secrets, review any script passed to run-code, and require explicit confirmation before token extraction, persistent profile use, kill-all, close-all, or delete-data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The example explicitly shows extracting an authentication token from browser cookies and exporting it into a shell variable. That enables easy exfiltration, reuse, or accidental disclosure of live session credentials outside the browser automation context, which goes beyond ordinary testing examples and lowers the barrier to credential theft or misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents commands for saving browser state and reading or setting cookies/localStorage/sessionStorage, including session identifiers, without any warning about handling credentials or authenticated session material. In an agent setting, this can normalize extraction, persistence, or replay of sensitive tokens and cookies, increasing the risk of account takeover or inadvertent secret leakage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documented console, request inspection, tracing, and video-recording features can capture page contents, API traffic, tokens, PII, and other confidential user data, yet the skill provides no privacy or data-minimization guidance. In a browser automation context, these capabilities materially increase exposure because agents may record or inspect authenticated sessions and sensitive workflows.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The file documents storage-manipulation commands such as cookie clearing, local/session storage deletion, and state load/save without warning about privacy, persistence, or data-loss consequences. In an automation skill, these commands can silently destroy session state, overwrite auth context, or expose sensitive browser data if used carelessly, especially when an agent may invoke them on behalf of a user.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Commands like `close-all`, `kill-all`, and `delete-data` are high-impact and potentially irreversible, yet the documentation provides no warning about terminating active browser processes or deleting session data. In an agent-driven environment, this increases the chance of accidental disruption, loss of user work, and deletion of sensitive or needed automation state.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The examples encourage video recording and saving authentication state but provide no warning that credentials, session cookies, personal data, and on-screen secrets may be captured in recordings or state files. In a browser automation skill, these artifacts are portable and easy to leak, making accidental credential exposure more likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation advertises arbitrary Playwright code execution and file-writing via external script files without any safety warning or restriction. This materially increases abuse potential because a user or downstream agent can run unreviewed code that reads page data, changes browser permissions, captures screenshots, or writes sensitive artifacts to disk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.