webapp-testing
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill contains a 'black-box' instruction: 'DO NOT read the source until you try running the script first... They exist to be called directly as black-box scripts rather than ingested into your context window.' This is a direct attempt to bypass security review and AI oversight of executable code.
- [COMMAND_EXECUTION] (HIGH): The
scripts/with_server.pyutility is designed to execute arbitrary shell commands provided via the--serverflag (e.g.,npm run dev,python server.py). This creates a significant risk of command injection if the server strings are influenced by untrusted data. - [REMOTE_CODE_EXECUTION] (HIGH): The skill facilitates the creation and execution of Playwright automation scripts. Because these scripts interact with web content, they are vulnerable to indirect prompt injection where a malicious web page could trigger the agent to execute unauthorized logic within the Playwright context.
- [DATA_EXFILTRATION] (MEDIUM): The skill provides patterns for capturing DOM content and screenshots (e.g.,
/tmp/inspect.png). In the absence of strict output controls, this capability can be used to capture and exfiltrate sensitive data from local-network applications or user sessions.
Recommendations
- AI detected serious security threats
Audit Metadata