Playwright Cli Skills

Security checks across malware telemetry and agentic risk

Overview

This is mostly a browser automation skill, but it bundles an under-disclosed Amazon search exporter that reuses a saved login session and gives weak warnings about stored browser secrets.

Review before installing. Use this only with a dedicated browser profile or low-risk test accounts, avoid running traces or videos on real payment, login, or production data, and treat saved auth files, cookies, traces, videos, and storage-state files like passwords. Do not use the bundled Amazon helper with your main account unless you are comfortable with an agent reusing that session and writing search results locally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (13)

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script loads persistent Amazon authentication state from a local file and reuses it for automated browsing, which can enable access to account-scoped data or actions without fresh user awareness. In an agent skill context, this is riskier because a seemingly simple product-search tool gains implicit access to an authenticated Amazon session, increasing the chance of account misuse, data exposure, or unintended privileged interactions.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script is not a generic Playwright helper; it is purpose-built to scrape Amazon search results and export them to CSV, which exceeds the stated skill scope of browser automation/testing. Scope-mismatched skills are dangerous because they can hide data-harvesting behavior behind a benign-seeming description and may facilitate terms-of-service violations or unauthorized commercial scraping.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The script loads a persisted Amazon authentication state from ~/amazon-auth.json before performing scraping, enabling access through an existing logged-in e-commerce account. Using stored account session material in a skill whose stated purpose is not account management increases the risk of unauthorized account use, exposure of personal/order data through session reuse, and abuse of privileged access if the state file is copied or misused.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill explicitly demonstrates extracting a session cookie into shell output with `TOKEN=$(playwright-cli --raw cookie-get session_id)` but provides no warning that cookies and similar browser state may be authentication secrets. In an agent setting, this can normalize credential harvesting, accidental logging, or onward reuse of active session tokens.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation promotes persistent profiles and state save/load without warning that these features retain browsing data, cookies, and authenticated sessions on disk. In shared or agent-managed environments, this can lead to unintended credential persistence, cross-task data leakage, or reuse of another user's authenticated state.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The `delete-data` command irreversibly removes browser user data, but the skill does not warn users that this may destroy saved sessions, cookies, and local browser state. In an automated context, a mistaken invocation could cause data loss or logout/disruption across workflows relying on persisted state.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The `close-all` and especially `kill-all` commands can terminate multiple browser processes broadly, yet the skill provides no warning about disruption to unrelated work or potential loss of unsaved state. In multi-user or multitask environments, this can interfere with other sessions beyond the intended automation task.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README instructs users to save and reuse an Amazon authenticated browser state file (`~/amazon-auth.json`) but provides no warning that this file contains sensitive session material that can enable account access if copied or exposed. In the context of a browser automation skill for a commercial site, encouraging persistent session reuse without storage, permission, and lifecycle guidance materially increases the risk of credential/session theft or accidental leakage.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The documentation explicitly teaches users to execute arbitrary Playwright code that can grant powerful browser permissions, read or write clipboard contents, download files to disk, and persist authentication state to a local file. In an agent skill context, these examples normalize sensitive operations without warning about privacy, credential, or filesystem implications, increasing the chance that an automated agent or user will run risky commands against real sites and data.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation encourages trace capture of DOM snapshots, screenshots, network activity, and console logs without warning that these artifacts can contain credentials, session tokens, personal data, or other secrets. In a browser automation skill, users are likely to run traces against authenticated applications, so omission of privacy and secret-handling guidance can lead to inadvertent sensitive data collection and unsafe retention or sharing of trace files.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Listing request and response headers and bodies as captured output without any caution is dangerous because these commonly include authorization headers, cookies, API keys, CSRF tokens, personal data, and business-sensitive payloads. Given this skill's purpose—automating web applications—the context increases risk because traces are likely to include authenticated traffic from real environments.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The example explicitly traces a checkout flow while entering full payment card details and CVV, normalizing the capture of highly regulated financial data in trace files, screenshots, DOM snapshots, and network logs. This is especially dangerous in a Playwright tracing context because the tool is designed to persist exactly the kinds of artifacts that can expose cardholder data and create compliance, breach, and misuse risks.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The documentation encourages recording browser sessions to disk but does not warn that videos may capture sensitive on-screen data such as credentials, session tokens, personal information, internal dashboards, or other confidential content. In a browser automation skill, this omission is materially risky because recordings are explicitly positioned as proof/debug artifacts and may be retained, shared, or stored in predictable locations without users considering privacy and data-handling consequences.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal