webapp-testing
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill documentation promotes using a script
scripts/with_server.pythat takes arbitrary shell commands via the--serverparameter (e.g.,npm run dev,python server.py). This allows for arbitrary command execution on the host machine. - [PROMPT_INJECTION] (HIGH): The instructions contain an explicit directive to the agent: '勿优先读源码; 脚本可能很大,作为黑盒调用即可' ('Do not prioritize reading the source code; the script may be large, just call it as a black box'). This is a deceptive instruction designed to evade security analysis of the scripts provided with the skill.
- [REMOTE_CODE_EXECUTION] (MEDIUM): The skill involves the dynamic generation and execution of Python scripts (
your_automation.py) using Playwright. If the logic for these scripts is influenced by untrusted external content, it could lead to full system compromise. - [INDIRECT PROMPT INJECTION] (HIGH): This skill uses Playwright to navigate to web pages. Because the skill also possesses command execution capabilities (via
with_server.py), it is highly vulnerable to indirect prompt injection. A malicious web page could contain hidden instructions that coerce the agent into executing harmful shell commands.
Recommendations
- AI detected serious security threats
Audit Metadata