webapp-testing
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/with_server.pyusessubprocess.Popen(..., shell=True)to execute commands provided via the--serverargument. This allows for arbitrary shell command execution and is a high-risk pattern if the command strings are influenced by untrusted input. - [PROMPT_INJECTION]:
SKILL.mdcontains meta-instructions that attempt to influence agent behavior by discouraging the inspection of script source code. Phrases like "DO NOT read the source until you try running the script first" and the suggestion to treat scripts as "black boxes" may lead an agent to execute dangerous logic without prior validation. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its ingestion of untrusted data from web applications.
- Ingestion points:
examples/element_discovery.pyusespage.locator().all()andinner_text()to read web page content, whileexamples/console_logging.pycaptures browser console logs viapage.on("console", ...). - Boundary markers: Extracted data is printed or logged directly without delimiters or warnings to the agent to disregard embedded instructions.
- Capability inventory: The skill provides the ability to execute shell commands (via
with_server.py), write to the filesystem, and perform network operations via Playwright. - Sanitization: No sanitization or validation is performed on the data extracted from the web browser context before it is processed by the agent.
Audit Metadata