qa-team
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill is designed to ingest untrusted data from external sources (websites, mobile apps, and native macOS apps) and possesses powerful execution capabilities.
- Ingestion points:
mcp__claude-in-chrome__read_page(Web),mcp__ios-simulator__ui_describe_all(iOS), andmcp__mac-mcp-server__get_ui_elements(macOS). - Boundary markers: Absent. There are no instructions for sub-agents to ignore or sanitize embedded commands within the UI or page content.
- Capability inventory:
mcp__claude-in-chrome__javascript_tool(JS execution),mcp__electron__send_command_to_electron(JS/Command execution in Electron), and native interaction tools likemcp__mac-mcp-server__type_text. - Sanitization: Absent. The workflows directly process UI elements and execute commands based on the findings.
- Data Exposure (HIGH): The skill explicitly instructs agents to read sensitive local files located at
~/.claude/agents/*.md(e.g.,quality-engineer.md,gui-phd-web-electron.md). These files often contain proprietary instructions, configurations, or credentials for AI agent environments. - Dynamic Execution (HIGH): The workflows utilize tools such as
send_command_to_electronandjavascript_toolto execute arbitrary code within the context of the application being tested. This is highly dangerous if the input to these commands is influenced by malicious content on a web page or in an app UI. - Excessive Permissions (MEDIUM): The
allowed-toolslist includes broad access toBash,Write,Edit, and various system-level MCP servers, providing a large attack surface if any of the specialized agents are compromised via injection.
Recommendations
- AI detected serious security threats
Audit Metadata