webapp-testing
Fail
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The helper script
scripts/with_server.pyis designed to execute arbitrary shell commands provided as command-line arguments. It usessubprocess.Popenwithshell=Truefor server commands andsubprocess.runfor the primary execution command, allowing for unrestricted system command execution. - [PROMPT_INJECTION]: The
SKILL.mdfile contains instructions that discourage the agent from performing security reviews on the included code ('DO NOT read the source until you try running the script first'), which is an anti-analysis pattern that could facilitate the execution of malicious logic. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting untrusted content from web applications via Playwright and possessing high-privilege shell access.
- Ingestion points:
examples/element_discovery.pyreads DOM content;examples/console_logging.pycaptures browser console output. - Boundary markers: No delimiters or warnings are used to prevent the agent from interpreting ingested data as instructions.
- Capability inventory:
scripts/with_server.pyprovides shell execution capabilities;examples/scripts have file-system write access. - Sanitization: No evidence of sanitization or filtering is present for data ingested from the browser before potential use in system commands.
Recommendations
- AI detected serious security threats
Audit Metadata