pst-explore
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill performs shell commands to manage local directories and execute browser automation via playwright-cli. Evidence: Use of mkdir to create session folders and playwright-cli commands (open, snapshot, screenshot, click, close) to drive the browser.
- [REMOTE_CODE_EXECUTION]: The skill uses playwright-cli eval to run JavaScript within the browser context to extract page state and element attributes. Evidence: Multiple eval calls in Step 3 and the sign-in flow example extract link hrefs, button texts, and document titles.
- [PROMPT_INJECTION]: The skill identifies a surface for indirect prompt injection because it incorporates data from third-party websites into its generated insights.md report. Ingestion points: Browser snapshots and extracted DOM text in SKILL.md (Step 3). Boundary markers: Absent; there are no explicit instructions to the agent to delimit potentially malicious instructions found on visited pages. Capability inventory: Local filesystem writes (insights.md) and browser automation. Sanitization: No sanitization or validation of the extracted web content is mentioned.
Audit Metadata