webapp-testing
Fail
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The SKILL.md documentation contains explicit instructions for the AI agent to 'DO NOT read the source' and to treat scripts as 'black-box'. This is a defense-evasion technique designed to prevent the AI from auditing the code it is instructed to run.\n- [COMMAND_EXECUTION] (HIGH): The script 'scripts/with_server.py' utilizes 'subprocess.Popen' with 'shell=True' to execute server commands provided via CLI arguments. This enables arbitrary shell command execution and command chaining, which is particularly dangerous when the agent is discouraged from reviewing the script logic.\n- [DATA_EXPOSURE] (LOW): The automation scripts utilize Playwright which supports the 'file://' protocol, allowing the agent to read arbitrary local files if prompted by an external source or malicious instruction.\n- [INDIRECT_PROMPT_INJECTION] (LOW): The skill extracts data from web applications via DOM inspection and console log capture, creating an ingestion surface for untrusted data.\n
- Ingestion points: 'examples/element_discovery.py' (page.locator), 'examples/console_logging.py' (page.on('console')).\n
- Boundary markers: None identified.\n
- Capability inventory: 'subprocess.Popen' and 'subprocess.run' in 'scripts/with_server.py'.\n
- Sanitization: None; external content is printed and saved directly to files.
Recommendations
- AI detected serious security threats
Audit Metadata