webapp-testing
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The helper script
scripts/with_server.pyusessubprocess.Popen(shell=True)to execute server commands andsubprocess.run()for testing commands. This provides a direct path for arbitrary command execution on the host system if the input strings are manipulated. - [PROMPT_INJECTION]: Documentation in
SKILL.mdexplicitly instructs the agent to 'DO NOT read the source' of the scripts before running them. This directive discourages the agent from performing its usual role of verifying and understanding the code it interacts with, which could be used to mask malicious behavior. - [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection.
- Ingestion points:
examples/element_discovery.pyandexamples/console_logging.pyread DOM content and console logs from web applications being tested. - Boundary markers: Absent. No instructions or delimiters are provided to the agent to ignore instructions found within the tested web content.
- Capability inventory: Includes arbitrary shell command execution via
with_server.pyand filesystem writes for logs and screenshots. - Sanitization: Absent. Content retrieved via Playwright is processed by the agent without any sanitization or escaping.
Audit Metadata