webapp-testing
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The helper script
scripts/with_server.pyusessubprocess.Popenwithshell=Trueto execute arbitrary strings provided as server commands. It also usessubprocess.runto execute the main automation command. This allows the execution of arbitrary shell commands within the environment. - [PROMPT_INJECTION]: The
SKILL.mdfile explicitly instructs the AI agent to avoid reading the source code of the provided scripts before execution ('DO NOT read the source until you try running the script first'). This instruction discourages auditing of the script's logic, such as the use ofshell=Trueor other potentially dangerous operations, before they are run. - [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection because it is designed to ingest and process content from web applications.
- Ingestion points: Untrusted data enters the context through browser console logs (
msg.text), rendered page content (page.content()), and DOM element text (inner_text) via Playwright. - Boundary markers: No delimiters or instructions are present to warn the agent to ignore instructions embedded within the retrieved web content.
- Capability inventory: The agent has the capability to execute arbitrary shell commands via
scripts/with_server.pyand write files to the local system. - Sanitization: There is no evidence of sanitization or validation of the data scraped from web pages before it is processed by the agent.
Audit Metadata