Back to skill

Security audit

Playwright MCP Automation

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate browser automation skill, but it needs review because it gives agents broad control over logged-in browser sessions with weak safety guidance.

Install only if you are comfortable giving an agent real browser-control authority. Keep the MCP server bound to localhost, avoid --allowed-hosts=* and 0.0.0.0 unless isolated behind strong access controls, use fresh per-task profiles, protect and delete session artifacts after sensitive work, pin the Playwright MCP package version, and require explicit confirmation before purchases, payments, posts, deletions, or other account-changing actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs agents to use persistent browser profiles, storage-state files, secrets files, and extension-based reuse of signed-in browser sessions, but it does not include strong warnings or guardrails about credential leakage, cross-task/session contamination, or handling of highly sensitive authentication artifacts. In this context, the omission is meaningful because the skill is designed for live website login flows and encourages reuse of authenticated state, which can expose user data or enable unintended actions if the profile, storage state, or secrets are mishandled.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide recommends a persistent browser profile to retain login state, which means cookies, session tokens, and localStorage data may be stored on disk and reused across sessions. In the context of an automation skill that logs into real sites, this materially increases the risk of credential/session theft or unintended cross-task account access if the profile directory is shared, copied, or insufficiently protected.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Documenting `--secrets /path/.env` without strong handling guidance can lead operators to place credentials in broadly readable files or source-controlled locations. Because this skill is designed to automate authenticated browsing and can expose secrets to MCP-accessible tooling, weak secret-file hygiene can result in credential disclosure or misuse.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script starts Playwright MCP with `--allowed-hosts=*`, which effectively removes destination restrictions and enables automated browser access to arbitrary websites. In the context of an agent skill explicitly designed to log in to sites, browse dashboards, and perform live actions, this broad access materially increases the risk of SSRF-like browsing abuse, unintended access to sensitive internal or external services, and automated exfiltration or destructive actions if the MCP server is invoked by an untrusted or over-privileged agent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.