e2e-role-test
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill has a large attack surface for indirect injection. • Ingestion points: It reads role definitions and credentials from
tests/e2e-test-plan.md(Step 0) and captures live web content viabrowser_snapshot(Step 2, 3, 4). • Boundary markers: The instructions lack delimiters or warnings to ignore embedded commands in the processed data. • Capability inventory: The skill uses Playwright MCP for full browser automation, includingbrowser_fill_formandbrowser_click. It explicitly performs high-privilege actions like 'Modify configurations' and 'Delete user' in Step 4. • Sanitization: There is no logic to sanitize or validate the content of the test plan or web pages before use. - [Data Exposure] (LOW): The skill is designed to read
tests/e2e-test-plan.mdwhich contains credentials. If this file is populated with real-world secrets instead of test-only data, it exposes them to the agent context.
Recommendations
- AI detected serious security threats
Audit Metadata