testing-blocks
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill requires the agent to visit external URLs using Playwright and analyze the results (accessibility snapshots, console logs, and screenshots). This untrusted data is ingested into the agent's context without any sanitization or boundary markers. An attacker controlling the test URL could embed malicious instructions to manipulate the agent's logic during the PR validation process.
- Ingestion points:
page.goto(),page.accessibility.snapshot(), andpage.on('console', ...)inSKILL.md(Option 2). - Boundary markers: None present in the instructions.
- Capability inventory: Execution of
node,npm run,aem up, and file system writes viafs.promises.writeFile. - Sanitization: No sanitization or filtering of external content is specified.
- Dynamic Execution (HIGH): In Step 2 (Option 2), the skill explicitly instructs the agent to write a temporary JavaScript file (
test-my-block.js) and execute it using thenodecommand. This 'script generation + execution' pattern is highly exploitable if the logic of the script is influenced by external input or malicious injection. - Command Execution (MEDIUM): The skill relies on multiple subprocess calls to
npmandaemCLI tools. While these are standard for the intended dev environment, they represent high-privilege capabilities that escalate the severity of other vulnerabilities like injection. - Unverifiable Dependencies (LOW): The skill suggests installing several Node.js packages (
vitest,jsdom, etc.). While these are from trusted registries, they are unversioned in the documentation, which is a minor best-practice violation.
Recommendations
- AI detected serious security threats
Audit Metadata