moai-workflow-testing
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- Command Execution (MEDIUM): The file
scripts/with_server.pyusessubprocess.Popenwithshell=True(line 86) andsubprocess.run(line 103) to execute arbitrary strings provided as command-line arguments. This pattern is dangerous if the agent or a user passes unvalidated input originating from an untrusted source, potentially leading to shell injection. - Indirect Prompt Injection (LOW): Several scripts (
examples/ai-powered-testing.py,examples/element_discovery.py) automate browser interactions, creating an ingestion surface for malicious instructions embedded in web pages. - Ingestion points: Untrusted data enters the agent context via
page.goto()and element discovery methods such aspage.locator("button").all()inexamples/ai-powered-testing.py(line 26) andexamples/element_discovery.py(line 14). - Boundary markers: No boundary markers or instructions to ignore embedded commands were found in the scripts that process external web content.
- Capability inventory: The skill possesses significant capabilities including browser control via Playwright and arbitrary command execution via
scripts/with_server.py. - Sanitization: There is no evidence of sanitization or filtering of text content retrieved from web pages before it is potentially used in downstream logic or reported to the user.
- Data Exposure (SAFE): While the skill writes logs and screenshots to local paths such as
/mnt/user-data/outputs/and/tmp/, no evidence was found of accessing sensitive system files or exfiltrating data to external network locations.
Audit Metadata