webapp-testing
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The file
scripts/with_server.pyusessubprocess.Popen(shell=True)to execute strings passed directly to the--serverargument. This allows for arbitrary shell command execution within the agent's environment. - PROMPT_INJECTION (LOW): The
SKILL.mdfile contains instructions explicitly telling the agent: 'DO NOT read the source until you try running the script first'. This pattern attempts to bypass the agent's ability to verify the safety and logic of the code it is executing. - INDIRECT_PROMPT_INJECTION (LOW): The skill ingests untrusted data from web pages (DOM, console logs) via Playwright without sanitization or boundary markers.
- Ingestion points:
examples/console_logging.py(capturing console messages),examples/element_discovery.py(DOM inspection). - Boundary markers: None detected in prompt templates or scripts.
- Capability inventory: Arbitrary shell execution via
scripts/with_server.py. - Sanitization: None detected.
- DATA_EXPOSURE (LOW): The automation examples save potentially sensitive web application data (screenshots, console logs) to
/tmpand/mnt/user-data/outputs/.
Audit Metadata