webapp-testing
Fail
Audited by Gen Agent Trust Hub on Feb 21, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The script
scripts/with_server.pyexecutes user-provided strings from the--serverargument usingsubprocess.Popenwithshell=True. This allows for arbitrary command execution and is highly susceptible to command injection if the input contains shell metacharacters. - [PROMPT_INJECTION] (MEDIUM): The
SKILL.mdfile contains instructions that attempt to override the agent's standard operating procedure by stating 'DO NOT read the source until you try running the script first'. This is a deceptive pattern designed to discourage the agent from inspecting potentially malicious code before execution. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill provides patterns for ingesting untrusted data from external web applications which could contain malicious instructions.
- Ingestion points:
examples/element_discovery.pyandexamples/console_logging.py(viapage.content(),inner_text(), and console logs). - Boundary markers: None identified in the provided examples.
- Capability inventory: File system writes (to
/mnt/user-data/outputs/) and arbitrary shell execution viascripts/with_server.py. - Sanitization: None; external content is printed directly to the console or written to files.
Recommendations
- AI detected serious security threats
Audit Metadata