Security risk report for @forgecat/openai_skills_playwright-interactive v0.0.10
Source Integrity
SRC-010Medium
Profile claims to be sourced from OpenAI's official skills repository (https://github.com/openai/skills) with a specific commit hash, but the commit date (2026-03-24) is in the future, indicating potential metadata inconsistency or fabrication.
The source attribution to OpenAI and Apache-2.0 license cannot be independently verified from the profile alone; caution is warranted when installing from external repositories.
The skill explicitly instructs the agent to run Codex with `--sandbox danger-full-access`, disabling sandboxing protections — this is a security-weakening instruction that broadens the attack surface for any code executed during the session.
No credential exfiltration, role-hijacking, or hidden instruction patterns were found; the content is focused on legitimate Playwright/UI debugging workflows.
The instruction to disable sandboxing, while framed as a 'temporary requirement', could be exploited if a malicious actor controls the profile or the apps being debugged, as it removes a key containment layer.
Details
Evidence
"For now, run this workflow with sandboxing disabled: start Codex with `--sandbox danger-full-access` (or the equivalent config for `sandbox_mode=danger-full-access`). This is a temporary requirement..."
Permissions
PRM-000High
The skill explicitly requires disabling sandboxing and enabling js_repl, which grants unrestricted JavaScript execution, full filesystem access, and arbitrary process spawning—far beyond the stated purpose of UI debugging.
The workflow involves launching browsers and Electron apps with persistent handles, installing npm packages, and executing arbitrary Node.js code in the user's workspace without scope restrictions.
The preconditions mandate `danger-full-access` mode, making this a high-risk tool category (arbitrary code execution) with authority unrelated to safe debugging and directly contradicting security defaults.
Details
Evidence
"start Codex with `--sandbox danger-full-access` (or the equivalent config for `sandbox_mode=danger-full-access`)"
"npm install playwright" and subsequent Node.js import/execution in js_repl
"keep the same handles alive across iterations" with persistent browser/Electron process control
MCP Risk
Low
No MCP servers are declared in the profile, so there is no risk from external tool definitions or hidden instructions in server configurations.
The skill relies on js_repl (a built-in Codex/Cursor feature) rather than external MCP integrations.