webapp-testing
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Obfuscation / Metadata Poisoning (MEDIUM): The documentation explicitly instructs the agent: 'DO NOT read the source until you try running the script first.' and 'These scripts... exist to be called directly as black-box scripts rather than ingested into your context window.' While framed as a context-optimization measure, this discourages security-critical code review by the AI agent before execution, which is a known tactic to hide malicious behavior in auxiliary files.
- Indirect Prompt Injection (LOW): The skill implements a 'Reconnaissance-Then-Action' pattern where it reads the DOM of a web application and uses that information to 'Execute actions'.
- Ingestion points: Web page content and rendered DOM structure (e.g.,
page.content(),page.locator().all()) inSKILL.md. - Boundary markers: Absent; there are no delimiters or instructions to ignore embedded commands within the web pages being tested.
- Capability inventory: Arbitrary command execution via
with_server.pyserver arguments and the ability to run generated Python/Playwright automation scripts. - Sanitization: Absent; the agent is directed to identify selectors and execute actions based directly on the rendered state of untrusted external web pages.
- Command Execution (LOW): The skill's primary function involves executing shell commands provided as arguments (e.g.,
--server "npm run dev"). While functional for testing, this capability provides a direct execution path if the agent is manipulated via indirect injection.
Audit Metadata