webapp-testing
Fail
Audited by Gen Agent Trust Hub on Feb 15, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The script
scripts/with_server.pyusessubprocess.Popenwithshell=Truefor server commands andsubprocess.runfor the final command. This pattern allows for arbitrary shell execution if arguments are influenced by untrusted data. - [PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection because it ingests untrusted data from web pages (via
page.content()andpage.locator()) while possessing high-privilege capabilities like shell command execution. Evidence: Ingestion occurs inSKILL.mdandexamples/element_discovery.py; Capabilities exist inscripts/with_server.py; Boundary markers and sanitization are entirely absent. - [DYNAMIC_EXECUTION] (MEDIUM): The core workflow involves the agent dynamically generating and executing Playwright scripts based on the state of external web applications, creating a significant attack surface.
- [OBFUSCATION] (LOW):
SKILL.mdexplicitly instructs the agent 'DO NOT read the source' of the helper scripts until absolutely necessary, which discourages security inspection of the tool's behavior.
Recommendations
- AI detected serious security threats
Audit Metadata