develop-web-game
Safety Score
Detected Capabilities
Sensitive Files
- Clean filesystem scan
Deep Audit Findings
The 'Develop Web Game' skill provides a Playwright-based testing loop for building web games. However, the client script does not sanitize the `--url` parameter, allowing for Server-Side Request Forgery (SSRF) and Local File Read via `file://` URIs. An attacker could exploit this by instructing the agent to load sensitive local files or internal metadata endpoints, take screenshots of them, and use the agent's vision capabilities to exfiltrate the data. Additionally, path traversal is possible through the output directory and actions file arguments.
Local File Read and SSRF via Unrestricted `--url` parameter
The Playwright client accepts any URL, including `file://` schemes and internal network addresses. If an attacker controls the prompt, they can force the agent to load local files or internal cloud metadata services into the browser, capture a screenshot, and use the agent's vision capabilities to read and exfiltrate the contents.
Path Traversal in `--screenshot-dir` and `--actions-file`
The script uses user-provided paths for reading actions and saving outputs without validation. While the filenames written are hardcoded (e.g., `shot-X.png`), an attacker could potentially read invalid JSON files from arbitrary locations or create directories in unintended locations on the filesystem.
Attack Surface Chain
Attacker provides a malicious prompt asking the agent to test a 'game' located at a sensitive path (e.g., `file:///etc/passwd`) or internal service (e.g., `http://169.254.169.254/latest/meta-data/`).
Agent executes the `web_game_playwright_client.js` script with the malicious `--url`.
Playwright loads the sensitive file/URL into the headless browser.
The script automatically captures a screenshot of the rendered sensitive data and saves it to the output directory.
The attacker's prompt instructs the agent to analyze the generated screenshot visually and output or exfiltrate the text it sees.