webapp-testing
Warn
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill explicitly instructs the agent to 'DO NOT read the source until you try running the script first' and to use bundled scripts as 'black boxes'. This discourages the agent from performing safety checks on local code before execution, which is a significant security bypass.
- [COMMAND_EXECUTION]: The skill facilitates the execution of arbitrary shell commands (e.g., 'npm run dev', 'python server.py') via the 'with_server.py' helper and the generation of custom Playwright scripts. This provides a direct path for executing commands on the host system.
- [INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and analyze untrusted data from web applications (e.g., page.content(), browser logs), which could contain malicious instructions targeting the agent.
- [INDIRECT_PROMPT_INJECTION]: 1. Ingestion points: 'page.content()', 'page.locator()', and console log capture. 2. Boundary markers: Absent; the agent is not instructed to distinguish between app data and instructions. 3. Capability inventory: Subprocess execution via 'with_server.py' and browser automation via Playwright. 4. Sanitization: Absent; no verification or escaping of the ingested web content is performed.
Audit Metadata