webapp-testing
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Prompt Injection] (MEDIUM): The instructions 'DO NOT read the source until you try running the script first' and 'These scripts... exist to be called directly as black-box scripts' are deceptive patterns that attempt to override the agent's safety reasoning. By discouraging code inspection, the skill facilitates the execution of potentially malicious local scripts without oversight.
- [Command Execution] (LOW): The skill's primary function involves running shell commands (e.g., 'npm run dev', 'python scripts/with_server.py') and executing dynamically generated Python scripts. While expected for the task, this provides a high-privilege execution environment.
- [Indirect Prompt Injection] (LOW): The skill interacts with external web applications and processes their DOM content. Evidence Chain: 1. Ingestion points: 'page.content()' and 'page.locator()'. 2. Boundary markers: None present. 3. Capability inventory: Execution of local scripts and shell commands. 4. Sanitization: No sanitization of ingested web data is mentioned before it influences agent logic.
Audit Metadata