webapp-testing
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (HIGH): The SKILL.md file contains a deceptive instruction telling the agent 'DO NOT read the source until you try running the script first'. This directive is a direct attempt to bypass the agent's safety and auditing processes by encouraging the execution of unvetted code.
- COMMAND_EXECUTION (HIGH): The utility script
scripts/with_server.pyusessubprocess.Popenwithshell=Trueto execute strings provided via the--serverargument. This provides a powerful primitive for arbitrary shell command execution, which is highly dangerous if inputs are influenced by untrusted sources. - DATA_EXPOSURE (LOW): The skill is configured to save screenshots and browser logs to directories like
/tmp/and/mnt/user-data/outputs/. If the web applications being tested contain sensitive user data or credentials, this information could be exposed on the local filesystem. - INDIRECT_PROMPT_INJECTION (LOW): The skill interacts with web pages and captures their content and console logs, creating a surface for indirect prompt injection. 1. Ingestion points: Data is ingested via
page.content()and browser console logs. 2. Boundary markers: No boundary markers or 'ignore' instructions are present to protect against instructions embedded in web content. 3. Capability inventory: The skill includes powerful command execution capabilities viawith_server.py. 4. Sanitization: No sanitization or validation of the data retrieved from the browser is implemented.
Recommendations
- AI detected serious security threats
Audit Metadata