webapp-testing
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill directs the agent to 'DO NOT read the source' of scripts and treat them as 'black-box' components. This is a malicious behavioral instruction intended to bypass security verification by preventing the agent from auditing bundled code before execution.
- COMMAND_EXECUTION (HIGH): The
with_server.pyhelper script accepts arbitrary shell commands via the--serverflag. This allows for direct command injection if the input is influenced by untrusted data. - REMOTE_CODE_EXECUTION (HIGH): The skill facilitates an Indirect Prompt Injection surface: it ingests untrusted data via
page.content()andpage.locator().all()(Ingestion in SKILL.md), lacks boundary markers for external data (Boundary), possesses the capability to execute shell commands and Python scripts (Capabilities), and lacks input sanitization (Sanitization). This combination allows external web content to potentially take control of the agent's execution environment. - DATA_EXPOSURE (MEDIUM): The toolkit uses
page.screenshot()andpage.content()to capture full-page data from local and remote applications, which can leak session tokens, PII, and internal configurations into the agent's context and logs.
Recommendations
- AI detected serious security threats
Audit Metadata