qa-testing
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill directs the agent to access and read sensitive configuration files (e.g.,
packages/config/src/qa.ts) and environment files (e.g.,apps/app/.env) which are expected to contain whitelisted emails and service role keys likeSUPABASE_SERVICE_ROLE_KEY. - [COMMAND_EXECUTION]: The workflow relies heavily on executing shell commands to interact with the
agent-browserCLI, manage local development servers (e.g.,bun run dev), and execute local scripts. - [REMOTE_CODE_EXECUTION]: The skill explicitly instructs the agent to dynamically generate, execute, and then delete temporary database seeding scripts to establish application state when UI paths are unavailable.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from the web application's UI via browser snapshots and screenshots while maintaining access to powerful shell capabilities.
- Ingestion points: File reads of browser snapshots and visual analysis of screenshots generated by the
agent-browsertool. - Boundary markers: Absent; there are no instructions to delimit or ignore instructions that may be embedded in the application's user interface.
- Capability inventory: Shell access for tool execution, server management, and file system operations (script creation).
- Sanitization: No sanitization or validation of the data retrieved from the browser is implemented.
Audit Metadata