webapp-testing
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is highly susceptible to Indirect Prompt Injection (Category 8) because it processes untrusted web data using powerful tools. Evidence Chain: 1. Ingestion points: The agent is instructed to visit URLs using Playwright and scan API endpoints for routes. 2. Boundary markers: Absent. There are no instructions to help the agent distinguish between the developer's goals and content found on target sites. 3. Capability inventory: The skill allows 'Bash', 'Write', 'Edit', and 'Grep', providing a direct path from injection to system impact. 4. Sanitization: None provided. The agent is encouraged to 'Discover and test everything' without safety checks for malicious HTML/API responses.
- COMMAND_EXECUTION (MEDIUM): The skill grants the 'Bash' tool and uses it to install dependencies and run local scripts. While the requested permissions are aligned with the stated purpose, the combination with untrusted external input elevates the risk.
- EXTERNAL_DOWNLOADS (LOW): The skill requires 'pip install playwright'. While Playwright is a trusted package, it involves downloading and executing external code at runtime. Per [TRUST-SCOPE-RULE], this is downgraded to LOW as it targets a standard registry.
Recommendations
- AI detected serious security threats
Audit Metadata