captcha
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The documentation instructs the user to install well-known and reputable third-party packages, including Playwright and official SDKs for Anthropic and OpenAI. It also includes commands to download browser binaries via the Playwright CLI.
- [COMMAND_EXECUTION]: The skill uses
subprocess.runto execute a bundled Python script (solve_captcha.py). This script uses only the Python standard library to communicate with CAPTCHA solving APIs and is invoked with local environment variables for configuration. - [DATA_EXFILTRATION]: The skill transmits site-specific CAPTCHA metadata, such as the
sitekeyandpageurl, to external solving services (2captcha, CapMonster, and Anti-Captcha). This is the primary and intended function of the skill to obtain solution tokens. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes visual data from external websites.
- Ingestion points: Browser screenshots of CAPTCHA challenges are captured and sent to external vision AI models (Claude or GPT-4V) via
solve_image_grid.py. - Boundary markers: No explicit delimiters are used in the vision prompt to distinguish the untrusted image content from the task instructions.
- Capability inventory: The script has the capability to perform automated clicks on browser elements and navigate pages using Playwright.
- Sanitization: The skill implements sanitization by using regular expressions to extract a JSON array from the AI's response and strictly validating that the content consists only of integers corresponding to valid grid cell numbers.
Audit Metadata