Skills
skills/shetengteng/skillix-hub/web-automation-builder/Gen Agent Trust Hub

web-automation-builder

Warn

Audited by Gen Agent Trust Hub on Apr 7, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill frequently employs execSync and spawn to perform system-level operations in tool.js, lib/replayer.js, and the generated tool.js.tpl. It uses these tools to install dependencies, update its own code, and execute automation steps via the Playwright skill. Additionally, the skill performs runtime code generation where lib/generator.js and lib/exporter.js create executable Node.js scripts and Skill manifest files based on user-recorded data.
  • [EXTERNAL_DOWNLOADS]: The install and update commands in tool.js execute npm install, which downloads packages from the public NPM registry. While the primary dependency playwright-core is from a well-known organization (Microsoft), the use of a clean reinstall mechanism (rm -rf node_modules && npm install) during updates represents a supply-chain risk surface.
  • [DATA_EXFILTRATION]: The NetworkMonitor class in lib/network-monitor.js captures full request and response bodies (up to 512KB) for all intercepted network traffic. Although this data is saved to a local directory (~/.cursor/skills/web-automation-builder-data/), the skill's design involves passing this raw traffic to an LLM for analysis. This creates a risk of exposing sensitive information such as API tokens, session cookies, or personally identifiable information (PII) captured during the recording session.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes untrusted data recorded from external websites (DOM content and network requests). This data is analyzed by the LLM to generate code and workflows without robust sanitization or specific boundary markers.
  • Ingestion points: External DOM events and API response bodies captured in lib/recorder.js and processed in tool.js.
  • Boundary markers: Absent; the instructions in SKILL.md do not define delimiters or warnings to ignore instructions embedded within recorded data.
  • Capability inventory: The skill has access to execSync for shell execution and fs.writeFileSync for persistent file creation.
  • Sanitization: Absent; while the skill performs basic string escaping for JavaScript generation, it lacks semantic sanitization to prevent malicious instructions in the recorded data from influencing the LLM's output.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 7, 2026, 07:34 PM