webapp-testing
Warn
Audited by Gen Agent Trust Hub on Feb 18, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The helper script
scripts/with_server.pyusessubprocess.Popenwithshell=Trueto start servers andsubprocess.runto execute automation commands. This design facilitates arbitrary shell command execution, which is a high-risk pattern if the inputs are influenced by untrusted data.\n- [PROMPT_INJECTION] (MEDIUM): TheSKILL.mddocumentation explicitly instructs the agent to avoid reading the source code of its scripts ('DO NOT read the source until you try running the script first'). This is a deceptive instruction that attempts to bypass the agent's standard safety practice of verifying code before execution.\n- [PROMPT_INJECTION] (LOW): The skill is susceptible to indirect prompt injection as it captures and processes data from local or remote web pages (e.g., DOM content, console logs) without any sanitization or boundary markers.\n - Ingestion points:
examples/element_discovery.py(DOM scraping) andexamples/console_logging.py(browser logs).\n - Boundary markers: None; there are no instructions or delimiters to help the agent distinguish between untrusted web data and system instructions.\n
- Capability inventory: The agent has the ability to execute shell commands via the
with_server.pyscript and write to the local file system.\n - Sanitization: No sanitization or filtering of the retrieved web content is implemented.
Audit Metadata