webapp-testing
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The utility script
scripts/with_server.pyusessubprocess.Popen(shell=True)andsubprocess.run()to execute arbitrary strings provided as command-line arguments. This allows the agent to execute any shell command on the host system. - [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). It is designed to navigate to external websites, inspect their DOM, and take screenshots. If a processed website contains malicious instructions, the agent could be tricked into using the skill's command execution capabilities to perform unauthorized actions. The documentation in
SKILL.mdspecifically instructs the agent 'DO NOT read the source' of scripts, which functions as a psychological bypass to prevent the agent from identifying these security risks. - [DATA_EXFILTRATION] (MEDIUM): The example
examples/static_html_automation.pydemonstrates the use offile://URLs to access local files. This capability, combined with the browser's networking and the skill's shell access, enables the exposure and exfiltration of sensitive local data.
Recommendations
- AI detected serious security threats
Audit Metadata