Skills
NYC
skills/spillwavesolutions/automating-mac-apps-plugin/web-browser-automation/Gen Agent Trust Hub

web-browser-automation

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • PROMPT_INJECTION (HIGH): The skill's core functionality involves visiting external websites and extracting content, creating a vulnerability to indirect prompt injection.\n
  • Ingestion points: Use of page.goto(), driver.get(), and execute_javascript() in workflows.md and framework-specific reference files.\n
  • Boundary markers: None identified; extracted web content is introduced directly into the agent context without isolation.\n
  • Capability inventory: The skill is explicitly granted Bash and Write tool permissions in SKILL.md. Examples in workflows.md also demonstrate local file writes using json.dump and fs.writeFileSync.\n
  • Sanitization: No evidence of sanitization or filtering of external content before processing.\n- EXTERNAL_DOWNLOADS (LOW): The playwright install command in references/playwright-automation.md downloads browser binaries from Microsoft. This is a trusted source, so the finding is downgraded to LOW per [TRUST-SCOPE-RULE].\n- COMMAND_EXECUTION (MEDIUM): The skill utilizes the Bash tool and frameworks that manage browser subprocesses. While legitimate for automation, this surface could be exploited if the agent is manipulated by malicious web content into executing unintended local commands.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 07:30 AM