webapp-testing
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): Hardcoded authentication credentials found in multiple test scripts.
- Evidence (test_health_check.py): Contains hardcoded email 'samyna@iknowfirst.com' and password 'ikf123456'.
- Evidence (test_login.py): Contains the same hardcoded email 'samyna@iknowfirst.com' and password 'ikf123456'.
- [COMMAND_EXECUTION] (MEDIUM): The skill facilitates arbitrary command execution through helper scripts using risky shell configurations.
- Evidence (scripts/with_server.py): Uses
subprocess.Popen(cmd, shell=True)wherecmdis a string passed directly from command-line arguments. This pattern is vulnerable to command injection if input is not strictly controlled. - Evidence (scripts/with_server.py): Uses
subprocess.run(args.command)to execute remaining arguments as a system command. - [DECEPTION / RECONNAISSANCE] (LOW): The documentation contains instructions that actively discourage security auditing of its components.
- Evidence (SKILL.md): States 'DO NOT read the source until you try running the script first'. This 'black-box' approach prevents users from identifying the hardcoded secrets and shell execution risks mentioned above.
Recommendations
- AI detected serious security threats
Audit Metadata