Playwright.Tmp

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Playwright browser-automation guide with disclosed, purpose-aligned risks around npm setup, browser sessions, and test artifacts.

Install only if you want an agent to help with real browser automation. Use dedicated test or staging accounts where possible, confirm before submissions/uploads/account changes, avoid privileged production sessions, verify npm packages before running npx commands, and treat Playwright traces, screenshots, videos, reports, downloads, and saved auth files as sensitive outputs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The guidance recommends keeping traces and failure artifacts but does not warn that Playwright reports, screenshots, videos, and traces can capture sensitive page content, tokens, PII, session state, or internal URLs. In a browser automation skill, this omission is materially risky because CI artifacts are commonly accessible to developers, reviewers, or external systems and can become an unintended data-exfiltration channel.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal