webapp-testing
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- PROMPT_INJECTION (MEDIUM): The documentation in
SKILL.mdcontains an instruction to 'DO NOT read the source until you try running the script first' and labels scripts as 'black-box'. This is an attempt to override the agent's typical safety behavior of inspecting code before execution, potentially hiding malicious logic in scripts likewith_server.pyfrom the agent's reasoning process. - COMMAND_EXECUTION (MEDIUM): The utility script
scripts/with_server.pyusessubprocess.Popen(shell=True)to execute commands provided via the--serverflag. While intended to start development servers, this pattern allows for arbitrary shell command execution with the privileges of the agent environment. - PROMPT_INJECTION (LOW): Category 8 (Indirect Prompt Injection) risk identified through web content ingestion.
- Ingestion points:
examples/element_discovery.pyandexamples/console_logging.pyingest untrusted data from web pages viapage.content(),inner_text(), and console message listeners. - Boundary markers: Absent. The skill does not provide delimiters or instructions to ignore instructions found within the tested web pages.
- Capability inventory: The environment includes
subprocess.Popenandsubprocess.runcapabilities (viawith_server.py) which could be targeted by instructions embedded in a malicious web page. - Sanitization: None. Data from the browser is printed or saved directly without escaping or validation.
- DATA_EXPOSURE (LOW): The skill captures screenshots, console logs, and page content, saving them to paths like
/tmp/and/mnt/user-data/outputs/. While necessary for testing, this creates a risk of sensitive data (e.g., session tokens in logs or PII on screens) being stored in insecure locations.
Audit Metadata