e2e-test-runner
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to monitor and "Interpret Results" from E2E tests and browser logs. Since the agent has powerful execute capabilities, this creates a Category 8 vulnerability surface where malicious instructions embedded in the application under test (e.g., in user-generated content or UI elements) could compromise the agent.
- Ingestion Points: Terminal output from
node oauth-authentication.test.js, browser logs, and responses fromcurlrequests to local services. - Boundary Markers: Absent. The instructions encourage the agent to read and act upon the "entire test output."
- Capability Inventory: Ability to execute arbitrary shell commands (
yarn,node,docker), terminate processes (kill -9), and run a custom provided shell script (check-services.sh). - Sanitization: None detected. The agent directly processes raw output strings.
- Command Execution (HIGH): The skill provides instructions to execute various system-level commands, including container management (
docker compose), build tools (yarn), and process termination (kill -9). It also relies on a custom shell script (scripts/check-services.sh) distributed with the skill, which increases the risk if the skill's source is untrusted. - Data Exposure (HIGH): The skill instructions and verification scripts repeatedly access
.env.localfiles (Category 2). Accessing and grepping these files into the agent's context can lead to the exposure of sensitive secrets or credentials in session logs. - External Dependency (LOW): The skill references an external API (
https://api.cluster-fluster.com) that is not part of the trusted source list. While primarily used for connectivity checks and configuration, it represents an unverified external dependency.
Recommendations
- AI detected serious security threats
Audit Metadata