webapp-testing
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The script
scripts/with_server.pyusessubprocess.Popen(shell=True)to execute server commands andsubprocess.run()for the main automation command. This allows the execution of arbitrary shell commands provided via arguments. While intended for managing local development servers, the use ofshell=Trueincreases the risk of command injection if arguments are influenced by untrusted data. - PROMPT_INJECTION (LOW): The
SKILL.mdfile contains instructions explicitly telling the agent 'DO NOT read the source until you try running the script first'. This meta-instruction discourages the agent from verifying the behavior of the scripts it executes, which is a poor security practice and could be used to mask malicious activity in those scripts. - PROMPT_INJECTION (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: Web application content is ingested via Playwright in
examples/element_discovery.pyandexamples/console_logging.pyusingpage.content()andpage.goto(). - Boundary markers: Absent. There are no instructions to the agent to ignore or delimit instructions found within the processed HTML or console logs.
- Capability inventory: The skill can execute arbitrary shell commands via
scripts/with_server.pyand write files to the filesystem. - Sanitization: Absent. Data extracted from the browser is used to inform subsequent agent actions without validation.
Audit Metadata