testing-evidence-collector
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFECOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions in
SKILL.mdand the implementation incapture_screenshot.pyfrequently usesubprocess.runand direct shell commands likecurl,ls, andnpxto perform environment checks and execute browser automation tools. - [REMOTE_CODE_EXECUTION]: In
scripts/capture_screenshot.py, the skill dynamically generates temporary JavaScript or Python scripts using string templates and executes them viasubprocess. The provided URL and output paths are interpolated directly into these templates with minimal escaping, which could lead to code injection within the temporary script context if a maliciously crafted URL is processed. - [EXTERNAL_DOWNLOADS]: The skill requires and encourages the installation of external dependencies, specifically the
playwrightlibrary and its associated browser binaries, through Node.js (npm) or Python (pip) package managers. - [PROMPT_INJECTION]: The skill facilitates indirect prompt injection (Category 8) by browsing and capturing content from arbitrary URLs provided by the agent or user.
- Ingestion points: The
urlargument inscripts/capture_screenshot.pyallows the skill to ingest data from external web sources. - Boundary markers: Not present; the skill treats captured content as binary evidence but lacks safeguards if an agent subsequently parses the content of the captured pages.
- Capability inventory: The skill possesses significant local capabilities, including file system access and the ability to execute arbitrary subprocesses through its utility scripts.
- Sanitization: There is no significant sanitization or validation of the input URL before it is used in code generation or browser navigation.
Audit Metadata