webapp-testing
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The helper script
scripts/with_server.pyusessubprocess.Popenwithshell=Trueto launch servers andsubprocess.runfor automation commands. This allows the execution of arbitrary shell commands. While this functionality is intended for web application testing, it represents a high-risk capability if the input commands are manipulated. - PROMPT_INJECTION (MEDIUM): The
SKILL.mdfile explicitly instructs the agent: 'DO NOT read the source until you try running the script first'. This pattern discourages the agent from performing a security review of the executable code before it is run, potentially allowing malicious instructions embedded in the scripts to execute undetected. - INDIRECT_PROMPT_INJECTION (LOW): The skill is designed to interact with external web applications and inspect their DOM state using Playwright (e.g.,
page.content()). - Ingestion points: Untrusted data enters the agent context through page content and DOM selectors.
- Boundary markers: None are present; there are no instructions to ignore or delimit potentially malicious instructions found within the tested web pages.
- Capability inventory: The skill can execute shell commands and manage local processes via
scripts/with_server.py. - Sanitization: There is no evidence of sanitization or validation of the ingested DOM data before it is used to determine subsequent automation steps.
Audit Metadata