e2e-test-loop
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): Embedded shell command execution in markdown body.
- Evidence: The marker
!git branch --show-currentis used in the markdown body. Depending on the agent's markdown renderer, this pattern often triggers local shell execution to dynamically populate content. - [PROMPT_INJECTION] (HIGH): High-risk indirect prompt injection surface (Category 8).
- Ingestion points: The
/e2e "prompt"command inSKILL.mdaccepts arbitrary user strings. - Boundary markers: Absent. User input is interpolated into the workflow without delimiters or instructions to ignore embedded commands.
- Capability inventory: Shell command execution (
dexcommands), file system modification (creating test scripts), and browser automation (Playwright). - Sanitization: Absent. User descriptions directly influence the creation of 'Dex' tasks and subsequent code generation.
- [REMOTE_CODE_EXECUTION] (HIGH): Generation of executable code from untrusted input.
- Evidence: The skill is designed to generate Playwright TypeScript files (e.g.,
checkout.e2e.ts) based on user-provided flow descriptions. An attacker can use the input prompt to inject malicious code into these generated files, which are then executed in the developer's environment or CI/CD pipeline. - [EXTERNAL_DOWNLOADS] (MEDIUM): Dependency on unverified external tool 'dex'.
- Evidence: The workflow requires the
dexCLI tool for task management (dex create,dex list), but the skill provides no information regarding the source, integrity, or installation safety of this tool.
Recommendations
- AI detected serious security threats
Audit Metadata