webapp-testing
Fail
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/with_server.pyusessubprocess.Popenwithshell=Trueto execute server commands provided as command-line arguments. This pattern is highly susceptible to command injection if the arguments are influenced by untrusted data. - [REMOTE_CODE_EXECUTION]: The skill provides mechanisms to execute arbitrary shell commands and Python/TypeScript scripts, which constitutes a broad remote code execution surface.
- [PROMPT_INJECTION]: The
SKILL.mdfile contains instructions that explicitly tell the agent 'DO NOT read the source until you try running the script first'. This instruction discourages the agent from performing a security review of the code it is about to execute, which is a malicious instructional pattern. - [EXTERNAL_DOWNLOADS]: The skill directs the user to install the
playwrightpackage and its associated browser binaries from external repositories. While Playwright is a well-known tool, this contributes to the external dependency surface. - [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection as it processes untrusted data from web pages and has significant system capabilities.
- Ingestion points: Web content is ingested via
page.goto()andpage.locator().inner_text()inSKILL.mdandexamples/element_discovery.py. - Boundary markers: Absent. There are no delimiters or instructions to the agent to ignore commands embedded in the web pages being tested.
- Capability inventory: The skill can execute arbitrary shell commands via
subprocess.Popenandsubprocess.runinscripts/with_server.py, and can write files to the local system as seen inexamples/console_logging.py. - Sanitization: Absent. No evidence of content escaping, validation, or filtering of external web data was found.
Recommendations
- AI detected serious security threats
Audit Metadata