webapp-testing
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The helper script
scripts/with_server.pyusessubprocess.Popenwithshell=Trueto execute commands provided via command-line arguments. This pattern allows for arbitrary shell command execution and is vulnerable to shell injection. - [COMMAND_EXECUTION]: The
scripts/with_server.pyscript also usessubprocess.runto execute the primary automation command, allowing the agent to launch any local binary or script. - [DATA_EXFILTRATION]: The skill is designed to capture browser screenshots and console logs, saving them to local directories like
/tmp/and/mnt/user-data/outputs/. This capability can be abused to exfiltrate sensitive data if the agent is directed to browse local system files or malicious URLs. - [PROMPT_INJECTION]: The skill exhibits a significant attack surface for indirect prompt injection:
- Ingestion points: Browser data is ingested via
page.content(),page.screenshot(), and console log handlers inexamples/element_discovery.pyandexamples/console_logging.py. - Boundary markers: None. The skill does not use delimiters or provide instructions to the agent to ignore potentially malicious instructions embedded in web content.
- Capability inventory: High-privilege capabilities are present, including arbitrary shell command execution via
scripts/with_server.pyand the ability to write files to the local system. - Sanitization: None. Data retrieved from external web pages is processed without validation or sanitization.
Audit Metadata