webapp-testing
Warn
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The utility
scripts/with_server.pyusessubprocess.Popen(shell=True)to execute the command string provided in the--serverargument. This allows for arbitrary shell command execution and is a high-risk pattern if the input contains unsanitized user-provided data. - [COMMAND_EXECUTION]: The same script uses
subprocess.runto execute arbitrary trailing command-line arguments as a subprocess, granting the agent broad execution capabilities. - [PROMPT_INJECTION]: The skill provides an attack surface for Indirect Prompt Injection by ingesting untrusted data from web pages and console logs.
- Ingestion points:
examples/element_discovery.pyextracts element text, andexamples/console_logging.pycaptures browser console messages. - Boundary markers: None; external content is interpolated directly into the agent's context without delimiters.
- Capability inventory: The skill allows execution of arbitrary shell commands via its helper scripts.
- Sanitization: No sanitization or safety filtering is performed on the data retrieved from the browser.
- [PROMPT_INJECTION]: The documentation in
SKILL.mdexplicitly instructs the agent not to read the source code of the provided scripts unless absolutely necessary, claiming they are 'very large'. This is a deceptive instruction as the scripts are relatively small, and it effectively discourages the agent from identifying insecure implementation details likeshell=True.
Audit Metadata