webapp-testing
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (MEDIUM): The skill contains explicit instructions to the agent to treat scripts as 'black boxes' and 'DO NOT read the source until you try running the script first'. This encourages the agent to bypass a standard safety check (code inspection) before execution, which could be exploited to run obfuscated or malicious code stored in the referenced scripts.
- [COMMAND_EXECUTION] (MEDIUM): The
scripts/with_server.pyhelper facilitates the execution of arbitrary shell commands provided via the--serverargument. While intended for starting local servers, it provides a direct interface for the agent to spawn subprocesses with user-controlled or generated strings. - [DATA_EXFILTRATION] (LOW): The skill is designed to capture browser screenshots and full DOM content (
page.content()). While these are standard for testing, they represent a significant data ingestion surface that could be used to capture sensitive information if the agent is directed to an untrusted or sensitive local/remote URL. - [PROMPT_INJECTION] (LOW): (Indirect) The skill's primary function is to ingest and process untrusted external data (web page DOM). There is a risk of indirect prompt injection where a malicious web page could contain instructions that influence the agent's subsequent automation steps.
- Ingestion points:
page.content(),page.locator().all(), and screenshot analysis. - Boundary markers: None. The instructions do not tell the agent to ignore instructions embedded within the web content being tested.
- Capability inventory: Writing and executing arbitrary Python files, shell command execution via
with_server.py. - Sanitization: None provided. The agent processes the rendered DOM directly.
Audit Metadata