Playwright MCP Automation
Security checks across malware telemetry and agentic risk
Overview
This is a legitimate browser-automation skill, but it should be reviewed because it can control logged-in websites using persistent session data and broad network/tool settings.
Install only if you are comfortable giving an agent real browser-control authority. Keep it local, avoid exposing the MCP port, remove wildcard host settings where possible, pin the Playwright MCP version, use fresh per-task browser profiles, and require explicit confirmation before purchases, payments, posting, deletions, or other account-changing actions.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could take real actions on websites, including purchases or account changes, if a task is ambiguous or a page flow is misinterpreted.
The skill tells the agent to use arbitrary Playwright code for brittle flows and illustrates clicking a purchase-related action. That is powerful and may bypass the safer, stepwise MCP tools if not paired with explicit user approval.
wrap logic inside `browser_run_code` ... await page.getByRole('button', { name: 'Place order' }).click();Require explicit user confirmation before final purchase, payment, posting, deletion, or other account-changing clicks; prefer semantic MCP tools over browser_run_code unless necessary.
If exposed beyond localhost, another process or network user could potentially reach a browser-control service that may have access to logged-in sessions.
The docs recommend disabling host restrictions and also show exposing the MCP server over HTTP on all interfaces. The artifacts mention firewalling, but do not show built-in authentication or a narrower default boundary for remote browser control.
`--allowed-hosts=*` bypasses DNS rebinding protection ... expose MCP over HTTP: `npx @playwright/mcp@latest --browser=chromium --port=8931 --host=0.0.0.0`
Keep the MCP server bound to localhost, avoid --allowed-hosts=* unless strictly local and necessary, use an authenticated tunnel or firewall, and restrict allowed hosts to expected domains.
A browser session may stay logged in across runs, and loaded secrets could be used by the automation if the agent or MCP server is misconfigured or exposed.
The skill explicitly supports persistent authenticated browser state and secret exposure to MCP tools. This is related to the purpose, but it gives the agent access to account sessions and sensitive credentials without tight site, task, or retention limits.
Keeps cookies/localStorage inside `PWMCP_PROFILE` ... Launch with `--secrets path/.env` so MCP can expose sensitive values via `secrets.get`. Include API keys or 2FA tokens there
Use per-task profiles, avoid loading API keys or 2FA tokens unless required, keep secrets in a vault, clear profiles after sensitive tasks, and limit the agent to accounts with least privilege.
A package update could change the browser server's behavior without the skill contents changing.
The launcher downloads/runs the latest MCP package at runtime. This is expected for the stated Playwright MCP purpose, but the version is not pinned, so future upstream changes could alter behavior.
exec npx @playwright/mcp@latest \
Pin @playwright/mcp to a reviewed version and update deliberately after checking the upstream release notes.
Cookies, localStorage, or page state from one task could affect later automations or expose information across tasks.
The skill acknowledges that persistent browser profiles can carry state between tasks or sites. This is disclosed and the document gives mitigation guidance, but users should still notice the cross-task state risk.
Rotate profile path per task to avoid cross-site contamination.
Use separate browser profiles for different sites or users, and delete profiles after sensitive work.