webapp-testing
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The
SKILL.mdfile contains instructions that actively discourage the agent from inspecting the source code of its scripts, stating 'DO NOT read the source' and 'Use bundled scripts as black boxes'. This is a deceptive pattern designed to bypass the agent's ability to verify the security and behavior of the code it is instructed to run. - [COMMAND_EXECUTION]: The helper script
scripts/with_server.pyusessubprocess.Popenwithshell=Trueto execute server commands. This is a dangerous coding practice that facilitates arbitrary shell command execution and makes the skill vulnerable to command injection if arguments are derived from unvalidated sources. - [COMMAND_EXECUTION]: The
with_server.pyscript is designed to execute arbitrary secondary commands provided as trailing arguments viasubprocess.run, which allows the agent to trigger the execution of any local executable or script without safety constraints. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface where untrusted data could influence command execution.
- Ingestion points:
examples/console_logging.py(captures browser console logs) andexamples/element_discovery.py(extracts DOM content). - Boundary markers: Absent; there are no instructions or delimiters provided to ensure the agent ignores potentially malicious commands embedded in the web content it processes.
- Capability inventory: The
scripts/with_server.pyscript provides capabilities for arbitrary shell and command execution viaPopenandruncalls. - Sanitization: Absent; external content extracted from web pages is not sanitized or validated before being incorporated into the agent's workflow.
Audit Metadata