webapp-testing
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The script
scripts/with_server.pyusessubprocess.Popenwithshell=Trueto execute server commands provided via the--serverargument. This enables arbitrary shell command execution. While this is part of the skill's primary purpose (running dev servers), the use ofshell=Trueon variable input is a significant security risk. - [PROMPT_INJECTION] (LOW):
SKILL.mdcontains an instruction telling the agent 'DO NOT read the source until you try running the script first'. This discourages the agent from performing a security review of the executable scripts it is about to run, potentially allowing malicious logic in the scripts to go unnoticed during execution. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill creates an attack surface for indirect injection as it is designed to ingest and process untrusted data from web pages.
- Ingestion points: The skill reads live web content via
page.content()andpage.locator().all()inSKILL.mdandexamples/element_discovery.py. - Boundary markers: None identified. The instructions do not warn the agent to ignore instructions embedded in the HTML or console logs.
- Capability inventory: The skill has powerful capabilities, including arbitrary shell execution via
scripts/with_server.pyand filesystem access via screenshot/log saving. - Sanitization: There is no evidence of sanitization for the content extracted from the browser before it is processed by the agent.
- [EXTERNAL_DOWNLOADS] (LOW): The skill depends on the
playwrightpackage, which is a standard library but downloads browser binaries during setup (though not explicitly shown in the provided scripts).
Audit Metadata