webapp-testing
Warn
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/with_server.pyusessubprocess.Popen(..., shell=True)andsubprocess.run(args.command)to execute strings passed as arguments. This behavior allows for the execution of arbitrary shell commands. - [PROMPT_INJECTION]: The documentation in
SKILL.mdincludes an instruction for the agent to 'DO NOT read the source until you try running the script first', which is a directive aimed at bypassing the agent's scrutiny of the code before execution. - [PROMPT_INJECTION]: The skill creates a surface for indirect prompt injection (Category 8):
- Ingestion points: Untrusted data is ingested from web applications using Playwright calls such as
page.content(),button.inner_text(), and console log listeners inexamples/element_discovery.pyandexamples/console_logging.py. - Boundary markers: No delimiters or safety instructions are provided to help the agent distinguish between its system instructions and the content of the pages it visits.
- Capability inventory: The skill possesses the capability to write and execute Python scripts and run shell commands through the
scripts/with_server.pyutility. - Sanitization: No sanitization or validation mechanisms are present to filter data retrieved from external web pages before it influences the agent's logic.
Audit Metadata