webapp-testing
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/with_server.pyutilizessubprocess.Popenwithshell=Trueto execute commands passed through the--serverargument. It also executes a final command usingsubprocess.run. This allows for arbitrary shell command execution within the environment.- [PROMPT_INJECTION]: TheSKILL.mdfile contains instructions that discourage the agent from inspecting the skill's source code ("DO NOT read the source until you try running the script first"). This behavior attempts to bypass the agent's internal safety review processes and could be used to facilitate the execution of hidden malicious commands.- [PROMPT_INJECTION]: The skill facilitates the ingestion of untrusted data from web applications via DOM inspection (page.content()) and console log capture. This creates a surface for indirect prompt injection where a malicious website could provide instructions that the agent might follow. Evidence details: - Ingestion points:
examples/element_discovery.pyandexamples/console_logging.pyread content directly from the browser context. - Boundary markers: No explicit boundary markers or "ignore instructions" warnings are present to protect the agent from untrusted web content.
- Capability inventory: The agent has access to arbitrary command execution via
scripts/with_server.py. - Sanitization: No sanitization or filtering of ingested web content or logs is performed before processing.
Audit Metadata