webapp-testing
Warn
Audited by Gen Agent Trust Hub on Feb 20, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The script
scripts/with_server.pyusessubprocess.Popenwithshell=Trueto launch server commands andsubprocess.runto execute automation scripts. This allows for arbitrary command execution on the host. While necessary for the skill's primary purpose of managing local development environments, it poses a risk if an attacker can manipulate the command strings. The severity is adjusted to MEDIUM as it is an intended core capability.\n- [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection because it ingests untrusted data from web pages (DOM text, attributes, and console logs) and presents it to the agent without sanitization or boundary markers.\n - Ingestion points:
examples/element_discovery.py(extracts inner text and attributes) andexamples/console_logging.py(captures console logs).\n - Boundary markers: Absent. There are no instructions to the agent to disregard or isolate instructions found within the tested web applications.\n
- Capability inventory: The skill can execute arbitrary shell commands via
subprocessand write files to the output directory.\n - Sanitization: None. The extracted browser data is used directly in the agent's context.\n- [COMMAND_EXECUTION] (LOW): The
SKILL.mdfile contains instructions telling the agent to treat the provided scripts as 'black boxes' and to 'DO NOT read the source'. This discourages the agent from auditing the code it executes, potentially leading to the execution of malicious logic if the scripts were tampered with.
Audit Metadata