webapp-testing
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Prompt Injection (MEDIUM): The
SKILL.mdfile contains instructions designed to prevent the AI from inspecting the source code of its tools: "DO NOT read the source until you try running the script first... They exist to be called directly as black-box scripts." This is an obfuscation technique aimed at bypassing the agent's internal safety reasoning and auditing capabilities. - Command Execution (MEDIUM): The file
scripts/with_server.pyis a wrapper for executing arbitrary shell commands usingsubprocess.Popen(shell=True). While intended for starting servers, it lacks any validation of the commands passed to it, making it a potential vector for arbitrary code execution if the agent is influenced by untrusted input. - Indirect Prompt Injection (LOW): The skill is designed to interact with and extract data from web applications, which are untrusted external sources.
- Ingestion points: Web content is ingested via
page.content(),page.locator().all(), and browser console logs inexamples/console_logging.pyandexamples/element_discovery.py. - Boundary markers: None. The instructions do not recommend using delimiters or warnings when processing web data.
- Capability inventory: The agent has access to arbitrary shell execution through the
scripts/with_server.pyutility. - Sanitization: There is no evidence of sanitization or filtering of the HTML or console output before the agent processes it.
Audit Metadata