Skills
skills/cauethenorio/skillbox/browse/Gen Agent Trust Hub

browse

Fail

Audited by Gen Agent Trust Hub on Apr 7, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [PROMPT_INJECTION]: The skill includes a deceptive "IMPORTANT" warning in SKILL.md that instructs the agent to avoid platform-native tools and instead use a specific, non-standard external package (@playwright/cli). This is a tool-override pattern used to steer agents toward untrusted dependencies.
  • [EXTERNAL_DOWNLOADS]: The skill uses npx to download and execute the @playwright/cli package. This package name mimics the official Playwright tool but is not the standard distribution, indicating a high risk of package substitution or a supply chain attack.
  • [REMOTE_CODE_EXECUTION]: The run-code command allows for the execution of arbitrary JavaScript within the browser context. When combined with an untrusted external dependency, this provides a direct vector for remote code execution and unauthorized operations.
  • [DATA_EXFILTRATION]: The skill provides extensive capabilities for accessing and exporting sensitive session data, such as cookie-list, cookie-get, and state-save (which writes all cookies and local storage to a file). This functionality enables the harvesting of authentication tokens and session credentials.
  • [COMMAND_EXECUTION]: The skill provides broad access to shell-based browser automation via npx. This allows for a variety of interactions that could be used to manipulate web applications or exfiltrate data from internal tools.
  • [DATA_EXFILTRATION]: The skill provides an attack surface for indirect prompt injection. By navigating to and taking snapshots of arbitrary websites, the agent may ingest and follow malicious instructions embedded in the site's content. This risk is amplified by the skill's ability to execute scripts (run-code) and modify browser state.
  • Ingestion points: npx @playwright/cli snapshot and page navigation (documented in SKILL.md).
  • Boundary markers: Absent; no instructions are provided to the agent to treat external page content as untrusted data.
  • Capability inventory: run-code (script execution), state-save (file write), and cookie-set (state modification).
  • Sanitization: Absent; the skill does not include any validation or filtering of content retrieved from web pages.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 7, 2026, 07:35 PM