Skills
skills/danielsogl/copilot-workflow-demo/webapp-testing/Gen Agent Trust Hub

webapp-testing

Warn

Audited by Gen Agent Trust Hub on Apr 2, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/with_server.py uses subprocess.Popen with shell=True to execute strings provided via the --server command-line argument. This allows for arbitrary shell command execution.
  • [COMMAND_EXECUTION]: Instructions in SKILL.md encourage the agent to treat scripts as 'black boxes' and explicitly state 'DO NOT read the source until you try running the script first'. This is a concealment pattern that reduces human/agent oversight of executable code.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from web pages.
  • Ingestion points: examples/element_discovery.py (via page.content()), examples/console_logging.py (via page.on("console", ...)), and SKILL.md (via page.locator(...).all()).
  • Boundary markers: Absent. The skill does not use delimiters or instructions to ignore embedded commands in the web content being processed.
  • Capability inventory: The agent can execute arbitrary shell commands via scripts/with_server.py and write files to /mnt/user-data/outputs/ (seen in examples/static_html_automation.py).
  • Sanitization: Absent. There is no evidence of sanitization or validation of the content retrieved from the web applications before it is processed by the agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 2, 2026, 12:09 AM