web-automation
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [Dynamic Execution] (MEDIUM): The file
scripts/server_utils.pyperforms a dynamic path injection by adding~/.claude/libtosys.path. It then imports a local libraryserver_detectionfrom this hidden directory. This pattern bypasses standard dependency management and relies on the presence of unverified code in a hidden user folder. - [Command Execution] (MEDIUM): The skill is designed to automatically detect and start development servers (e.g., Hugo, Vite, Django) as documented in
references/test-framework.mdand implemented inscripts/server_utils.py. The agent can be induced to execute arbitrary shell commands (e.g.,npm run dev) simply by being pointed to a directory containing a crafted configuration file (likepackage.json). - [Indirect Prompt Injection] (LOW): Multiple scripts (
console_logging.py,element_discovery.py,visual_compare.py) navigate to and process content from untrusted external URLs. This creates a surface for indirect prompt injection where a malicious site could influence the agent via console logs or page metadata. - Ingestion points:
urlCLI arguments passed to Playwright navigation functions. - Boundary markers: None present; external content is processed directly into logs or JSON output.
- Capability inventory: Subprocess spawning (server startup), file system writes (screenshots/JSON), and arbitrary network access via the browser.
- Sanitization: No sanitization or validation of page content or console messages before processing.
- [External Downloads] (LOW): The skill requires the
playwrightpackage, which downloads and executes browser binaries (Chromium) from external servers during setup. While Playwright is a trusted project, this is a required external binary dependency.
Audit Metadata