webapp-testing
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The script
scripts/with_server.pyutilizessubprocess.Popen(shell=True)andsubprocess.run()to execute commands passed as arguments. This allows the agent to execute arbitrary shell commands under the guise of starting a server or running automation, which could be exploited if the agent is influenced by untrusted data. - PROMPT_INJECTION (LOW):
SKILL.mdexplicitly instructs the agent: 'DO NOT read the source until you try running the script first'. Although context-window management is cited as the reason, this is a known technique to prevent the AI from performing a security audit on potentially malicious scripts before invoking them. - INDIRECT_PROMPT_INJECTION (LOW): The skill is designed to ingest and process content from web applications (via Playwright).
- Ingestion points:
page.goto(),page.content(), andpage.on('console', ...)inexamples/console_logging.pyandexamples/element_discovery.py. - Boundary markers: Absent. There are no instructions for the agent to distinguish between the skill's instructions and text found on the target web pages.
- Capability inventory: The skill possesses high-impact capabilities including arbitrary shell execution (
scripts/with_server.py), file system writes (examples/console_logging.py), and browser interaction. - Sanitization: No sanitization or validation of data retrieved from the browser is performed before it is used or logged.
- DATA_EXPOSURE (SAFE): While the skill captures screenshots and console logs, the examples show these being stored in local directories like
/tmp/and/mnt/user-data/outputs/. No exfiltration to external domains was detected.
Audit Metadata