webapp-testing
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- PROMPT_INJECTION (MEDIUM): The skill contains deceptive instructions designed to bypass agent inspection. Specifically, the line 'DO NOT read the source until you try running the script first' discourages the agent from auditing the logic of
scripts/with_server.pybefore execution, which is a common evasion tactic to hide malicious behavior in referenced files. - COMMAND_EXECUTION (MEDIUM): The
scripts/with_server.pyutility is designed to execute arbitrary shell commands provided via the--serverflag (e.g.,npm run dev,python server.py). This creates a direct sink for command injection if the agent is influenced by malicious user input to run unauthorized background processes. - REMOTE_CODE_EXECUTION (MEDIUM): The skill's primary workflow involves the agent dynamically writing and executing Python scripts using the Playwright library. While intended for testing, this capability allows for the execution of any Python code, including networking or filesystem operations, if the generation process is subverted.
- INDIRECT_PROMPT_INJECTION (LOW): The skill creates a significant attack surface by ingesting untrusted data from web pages.
- Ingestion points:
page.content(),page.locator('button').all(), and DOM inspection. - Boundary markers: Absent; there are no instructions to the agent to ignore or delimit instructions found within the HTML content it retrieves.
- Capability inventory: Arbitrary subprocess execution via
with_server.py, file writes to/tmp/, and full network access via Playwright. - Sanitization: Absent; the skill does not suggest any escaping or validation of retrieved web content before processing it for selectors or logic.
Audit Metadata