webapp-testing
Warn
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The utility script
scripts/with_server.pyexecutes arbitrary commands provided as CLI arguments usingsubprocess.Popen(..., shell=True). While intended to start development servers, this pattern allows for shell command injection if the arguments are influenced by untrusted input.\n- [PROMPT_INJECTION]: TheSKILL.mdfile includes an instruction telling the agent: "DO NOT read the source until you try running the script first". This is a concealment pattern that hinders the agent's ability to audit its own tools for security issues or unexpected behavior during execution.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8):\n - Ingestion points: The agent reads external data from web pages using
page.content()andpage.locator().all()inexamples/element_discovery.py.\n - Boundary markers: No delimiters or instructions are used to distinguish untrusted web content from the agent's core instructions.\n
- Capability inventory: The skill possesses powerful capabilities, including executing shell commands (
scripts/with_server.py) and writing files to the local system (examples/console_logging.py).\n - Sanitization: There is no evidence of sanitization or validation performed on the data retrieved from the web before it is printed to logs or processed by the agent.
Audit Metadata