testability-scoring
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell and Node.js scripts (
run-assessment.sh,generate-html-report.js) to perform browser automation and data processing. - [COMMAND_EXECUTION]: The report generation script starts an ephemeral local HTTP server to host the results and utilizes
child_process.execto automatically launch the default system browser. - [EXTERNAL_DOWNLOADS]: The skill uses
npxto run Playwright and optionally integrates with Vibium, which involves fetching well-known packages from the npm registry. - [PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it analyzes content from arbitrary target URLs provided by the user.
- Ingestion points: The
testability-scoring.spec.template.jsfile navigates to and extracts data from external websites. - Boundary markers: The analysis logic does not implement explicit delimiters or instructions to ignore potential injection patterns within the processed web content.
- Capability inventory: The skill can execute shell commands, perform local file writes, and open local network ports.
- Sanitization: No evidence of sanitization was found for the external page content before it is incorporated into assessment metrics.
Audit Metadata