qa-tester
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to read and strictly follow the content of the 'docs/' folder to generate test strategies and executable code.
- Ingestion points: Project files in 'docs/' (SKILL.md), web search results ('search_web'), and browser content ('browser_subagent').
- Boundary markers: Absent. The skill provides no delimiters or instructions to ignore malicious commands embedded in the documentation it reads.
- Capability inventory: Writing and executing Playwright/Jest/Vitest scripts, modifying local files in the reports directory, and performing complex browser automation via 'browser_subagent'.
- Sanitization: None. The skill directly translates documentation requirements into executable logic.
- Command Execution & Dynamic Code Gen (HIGH): The skill explicitly encourages the conversion of Markdown test cases into executable Playwright or Jest scripts (SKILL.md, references/automation/playwright.md). In an adversarial context, this allows an attacker to achieve Remote Code Execution (RCE) by providing malicious 'requirements' in the documentation.
- Data Exposure (LOW): The skill has permissions for 'read_file' and 'list_dir'. While intended for documentation review, a compromised instruction could redirect these tools to harvest sensitive files like '.env' or SSH keys from the project root.
Recommendations
- AI detected serious security threats
Audit Metadata