Is mahone-bot/playwright-npx safe?

https://github.com/openclaw/skills/tree/main/skills/mahone-bot/playwright-npx

84
SAFE

The playwright-npx skill is a legitimate browser automation tool with no malicious content, no prompt injection, and no active data exfiltration during the audit period. Its risk profile is driven entirely by the broad capabilities Playwright grants an agent (arbitrary URL visits, JavaScript execution, credential form-fill, session persistence, network interception) rather than any malicious intent in the skill itself. All canary honeypots remained intact and the install was clean.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 73/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 96/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (7)

LOW Session persistence pattern saves browser auth tokens to disk -8

The login-session.mjs example and the Persistent Session section in SKILL.md explicitly document saving browser storageState (cookies, localStorage, sessionStorage) to tmp/session.json. An agent following this pattern could inadvertently or deliberately persist authenticated sessions for later reuse or exfiltration.

LOW Form credential patterns in examples teach password/email injection -5

Multiple examples show filling input[name='email'] and input[name='password'] fields. While these are standard automation patterns, they normalize having the agent handle raw credentials, increasing the risk of credential leakage in logs or output.

LOW Skill normalizes writing and executing arbitrary local JavaScript -15

The core workflow documented is: copy a template to tmp/, edit it, run it with node script.mjs. This establishes a pattern where the agent routinely writes files to disk and executes them as processes, expanding the agent's effective execution surface beyond tool calls.

LOW Seven pre-built execution templates included -12

The skill ships seven .mjs template files (minimal, screenshot, scrape, login-session, form-interaction) that are syntactically complete and ready to execute. An agent instructed to 'run the scrape template' can do so immediately without writing any code itself.

INFO Broad browser automation capability amplifies risk when combined with malicious context -20

Playwright automation grants an agent the ability to visit any URL, execute JavaScript in page context, capture full-page screenshots, intercept all network requests and responses, and persist authenticated sessions. While this is the documented purpose, any skill or user prompt that provides a malicious target URL could leverage these capabilities for data harvesting, credential theft, or automated social engineering at scale.

INFO Install process is transparent and matches expected source 0

The install cloned from https://github.com/openclaw/skills.git via git sparse-checkout targeting only skills/mahone-bot/playwright-npx, then copied to skill-under-test/. No secondary downloads, no package installation, no execution of skill content during install.

INFO No prompt injection or hidden instructions detected 0

SKILL.md was fully inspected. It contains only legitimate Playwright documentation with code examples. No hidden Unicode, zero-width characters, HTML comments with instructions, base64-encoded directives, or requests to override agent context were found.