webapp-testing
Warn
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The
SKILL.mdfile contains instructions that explicitly tell the agent to treat scripts in thescripts/directory as "black boxes" and "DO NOT read the source until you try running the script first." This pattern attempts to bypass the agent's ability to audit code for security or safety issues before execution. - [COMMAND_EXECUTION]: The script
scripts/with_server.pyusessubprocess.Popenwithshell=Trueto execute commands passed via the--serverargument. This creates a risk of arbitrary command execution if the agent interpolates untrusted user input into these commands. - [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by processing untrusted data from web pages (via Playwright) and passing it to the agent's context or local storage.
- Ingestion points:
examples/console_logging.pycaptures browser console logs;examples/element_discovery.pyextracts text and attributes from the DOM. - Boundary markers: Absent. There are no instructions or delimiters to help the agent distinguish between web content and its own instructions.
- Capability inventory: The skill can execute shell commands (
scripts/with_server.py) and write to the local file system (examples/console_logging.py,examples/element_discovery.py). - Sanitization: Absent. Web content is logged or extracted verbatim.
Audit Metadata