playwright-npx

clawhub:playwright-npx

View source

100/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

100/100

LOW 2

Findings (2)

LOW

Dynamic code evaluation CMDEXEC_002

command-execution L81

Detects eval() or exec() used for dynamic code execution

eval('

FIX

Replace eval()/exec() with a safer alternative such as json.loads(), ast.literal_eval(), or a purpose-built parser.

FP?

Likely FP if the matched text contains 'exec' as part of a word (e.g., 'execute', 'execution') rather than an actual eval() or exec() call.

LOW

Runtime URL controlling behavior THIRDPARTY_001

third-party-content L211

Detects URLs fetched at runtime that control or influence agent behavior without pinning

get javascript https:// + Settings

FIX

Avoid loading configuration or behavior-controlling content from runtime URLs. Bundle required configurations locally or pin remote config to versioned, integrity-verified endpoints.

FP?

Likely FP if the URL in the match is a documentation link or example URL (e.g., example.com) rather than an actual runtime-fetched configuration endpoint.