Is playwright-mcp safe?

https://clawhub.ai/Spiceman161/playwright-mcp

62
CAUTION

The playwright-mcp skill is a wrapper around Microsoft's official Playwright MCP server for browser automation. The SKILL.md content itself is clean documentation with no prompt injection. However, the installation-time filesystem monitoring revealed access to sensitive credential files (.aws/credentials, .env, auth-profiles.json) which is concerning even if attributable to the OpenClaw framework rather than the skill itself. The skill's inherent capabilities (arbitrary JS execution, unrestricted URL navigation, file upload) create a significant attack surface that requires user awareness.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 55/100 · 20%
Clone Behavior 30/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (10)

CRITICAL AWS credentials accessed during installation -40

The filesystem monitor recorded that /home/oc-exec/.aws/credentials was OPENED and ACCESSED during the skill installation process. A browser automation skill should have no reason to read AWS credentials. While this could be the OpenClaw framework's own startup behavior rather than the skill itself, the access occurred in the installation window and cannot be definitively attributed.

HIGH Sensitive environment files read during installation -35

The installation process read .env, .aws/credentials, and auth-profiles.json — all files containing secrets. Even without observed outbound network traffic, these reads could stage data for later exfiltration or be part of a supply chain attack where credentials are cached locally.

HIGH browser_evaluate enables arbitrary JavaScript execution -15

The skill exposes browser_evaluate which runs arbitrary JavaScript in the browser context. This can extract cookies, localStorage, sessionStorage, and any DOM content from visited pages. An attacker-crafted prompt could use this to exfiltrate session tokens.

MEDIUM Browser automation enables SSRF and internal network scanning -20

browser_navigate can target internal URLs (localhost, cloud metadata endpoints like 169.254.169.254, internal DNS names). This could be exploited to access internal services, cloud instance metadata, or perform port scanning from within the user's network.

MEDIUM Suggests disabling HTTPS verification -8

The skill documents --ignore-https-errors as a configuration option. If an agent follows this suggestion, it would disable TLS certificate validation, enabling man-in-the-middle attacks on all browser traffic.

MEDIUM Global npm package installation with full system access -15

The skill instructs npm install -g @playwright/mcp which installs a package globally. The @playwright/mcp package itself is maintained by Microsoft and generally trusted, but global installation grants the MCP server process full system-level access rather than project-scoped permissions.

MEDIUM File upload capability via browser_choose_file -15

The browser_choose_file tool enables uploading local files to websites. Combined with browser_navigate to an attacker-controlled domain, this creates a direct file exfiltration path that bypasses network-level monitoring.

LOW Temp directory and JIT cache files created during install -5

Installation created /tmp/openclaw-1000/ with a gateway lock file and multiple JIT-compiled module caches in /tmp/jiti/. This appears to be normal OpenClaw framework behavior but expands the filesystem footprint beyond the skill directory.

LOW Suggests --no-sandbox browser mode -5

The security notes mention --no-sandbox with a caution warning. If an agent disables sandboxing, the browser process has unrestricted system access.

INFO examples.py is a benign conceptual demo -5

The examples.py file imports subprocess but only uses it conceptually (prints what MCP calls would look like). It does not execute any actual commands and poses no direct risk.