web-search
Pass
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it retrieves and processes untrusted content from the web via search engines. Ingestion points: Bing and Google search results are extracted in 'server/search/bing.ts' and 'server/search/google.ts'. Boundary markers: Extracted text is returned as Markdown without explicit delimiters to isolate untrusted content from agent instructions. Capability inventory: The skill can launch browsers, navigate URLs, take screenshots, and extract text/HTML. Sanitization: Uses textContent to avoid script execution in the scraping context, but does not filter natural language instructions.
- [COMMAND_EXECUTION]: The skill spawns local browser processes (Chrome/Chromium) to perform automation tasks using 'child_process.spawn' in 'server/playwright/browser.ts'.
- [EXTERNAL_DOWNLOADS]: The 'scripts/start-server.sh' script performs dependency installation via 'npm install' for standard packages like 'express' and 'playwright-core'.
- [REMOTE_CODE_EXECUTION]: The 'server/playwright/operations.ts' file contains an 'evaluate' helper function that uses the 'eval()' sink to execute code within the browser context. This function is not currently exposed via the server's API routes, which mitigates direct exploitability.
Audit Metadata