webapp-testing
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The helper script
scripts/with_server.pyutilizessubprocess.Popen(shell=True)to execute strings passed to the--serverargument. This pattern is highly susceptible to command injection if an attacker can influence the arguments provided to the script. - DATA_EXFILTRATION (LOW): Multiple scripts (
console_logging.py,element_discovery.py,static_html_automation.py) capture and write browser screenshots and console logs to the local filesystem (/tmpand/mnt/user-data/outputs/). This exposure is limited to the local system but constitutes an exfiltration vector for sensitive UI data. - PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection. As it is designed to crawl and interact with local web applications, a malicious or compromised webapp could inject instructions into the DOM or console logs intended to manipulate the AI agent's subsequent actions.
- Ingestion points: Browser console logs via
page.on("console", ...)and page content viapage.content(),page.locator(...).all(). - Boundary markers: None identified in the provided scripts to distinguish untrusted web data from system instructions.
- Capability inventory: Full shell execution capability via
scripts/with_server.pyand local file writes via Playwright screenshots. - Sanitization: No sanitization or filtering of captured console logs or DOM content is performed before processing or saving.
- EXTERNAL_DOWNLOADS (SAFE): The skill identifies its source as
https://github.com/anthropics/skills, which is a trusted GitHub organization. Per the TRUST-SCOPE-RULE, the reference itself is considered low risk.
Recommendations
- AI detected serious security threats
Audit Metadata