webapp-testing
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script scripts/with_server.py utilizes subprocess.Popen with shell=True and subprocess.run to execute commands provided via CLI arguments. While intended for starting development servers and running automation tests, this functionality provides a mechanism for arbitrary command execution on the host system.
- [PROMPT_INJECTION]: The skill exposes a surface for indirect prompt injection by processing untrusted data from web applications and browser logs. 1. Ingestion points: Untrusted content is ingested through page.content(), page.locator().inner_text(), and page.on('console') handlers as shown in examples/element_discovery.py and examples/console_logging.py. 2. Boundary markers: No delimiters or instructions are used to signal that content retrieved from the browser should be treated as untrusted or ignored if it contains instructions. 3. Capability inventory: The skill has access to shell execution capabilities through with_server.py and can perform file writes to /mnt/user-data/outputs/ and /tmp/. 4. Sanitization: There is no evidence of sanitization or validation of the content retrieved from the web browser before it is processed by the agent.
Audit Metadata