webapp-testing
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The file
scripts/with_server.pyusessubprocess.Popen(shell=True)to execute server commands provided as arguments. This is a security anti-pattern that allows for arbitrary command execution and shell injection if the inputs are not strictly validated. - [REMOTE_CODE_EXECUTION] (MEDIUM): The skill is designed to have the agent dynamically generate and execute local Python scripts using Playwright. This pattern of 'generate-then-execute' is inherently higher risk as it allows the agent to execute arbitrary code on the host system.
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection.
- Ingestion points: The agent reads web page content via
page.content(),inner_text(), andpage.on("console")(found inexamples/). - Boundary markers: No markers or 'ignore' instructions are present to separate untrusted web data from the agent's internal logic.
- Capability inventory: The agent has access to file system writes (
/mnt/user-data/outputs/), network access (via Playwright), and shell execution (scripts/with_server.py). - Sanitization: No sanitization or validation of the ingested web content is performed before it is used to decide the next action.
- [METADATA_POISONING] (MEDIUM): The
SKILL.mdinstructions explicitly tell the agent 'DO NOT read the source until you try running the script first'. This discourages the agent from auditing its own tools for security issues before execution, which is an adversarial pattern.
Audit Metadata