sg-visual-fix
Warn
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill reads and executes shell commands from
visual-tests/_config.yamlvia thebuild_commandfield. This allows for arbitrary command execution if an attacker can modify the local configuration file. - [COMMAND_EXECUTION]: The skill implements an auto-detection mechanism for build commands, checking
package.json,docker-compose.yml, and Playwright configurations. It then proposes or executes these detected commands (npm run build,docker compose up, etc.), which can be exploited by placing malicious scripts in these standard files. - [COMMAND_EXECUTION]: The skill executes a local Node.js script
node visual-tests/build-review.mjswith various flags (--serve,--stop). While the path is static, the behavior of this script depends on the repository's content. - [PROMPT_INJECTION]: The skill processes a JSON manifest (
visual-tests/_results/fix-manifest.json) containing a list ofsteps. The instructions state the agent should "execute test steps from manifest," creating a surface for indirect prompt injection if the manifest contains malicious instructions or actions intended to steer the agent's behavior. - [PROMPT_INJECTION]: The skill includes instructions to "auto-detect before asking the user" for build commands, which reduces human oversight and increases the risk of automatic execution of malicious commands found in the environment.
- [DATA_EXPOSURE]: The skill has the capability to read any file (e.g.,
app/.../page.tsx,package.json, CSS files) and screenshots. While intended for its primary purpose, this access is broad and relies on the agent correctly scoping its tracing activities.
Audit Metadata