qa-regression
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill possesses a high-risk attack surface for indirect injection because it processes untrusted data from external websites while maintaining powerful capabilities.
- Ingestion points: The agent loads and interacts with web content via
page.goto()inlogin.spec.ts,load.spec.ts, andcreate.spec.ts. - Boundary markers: None; there are no instructions to help the agent distinguish between test logic and potentially malicious prompts embedded in the target website.
- Capability inventory: The agent has the ability to interact with web UIs (
click,fill) and perform administrative cleanup via thefetchAPI inhelpers/users.tsusing anADMIN_TOKEN. - Sanitization: None; data retrieved from the browser is not filtered or escaped before being processed by the agent.
- [Unverifiable Dependencies] (LOW): The skill relies on external packages (
playwright,@playwright/test) and browser binaries downloaded from the NPM registry. While these come from a trusted source (Microsoft), they constitute external code dependencies. - [Command Execution] (LOW): The skill instructions involve executing shell commands (
npm install,npx playwright test) to set up the environment and run tests, which is a standard but necessary part of the attack surface.
Recommendations
- AI detected serious security threats
Audit Metadata