webapp-testing
Fail
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The file
scripts/with_server.pyutilizessubprocess.Popen(shell=True)to execute arbitrary strings provided via the--servercommand-line argument. This allows for arbitrary command injection or execution within the host environment. - [PROMPT_INJECTION] (MEDIUM):
SKILL.mdcontains a specific directive: "DO NOT read the source until you try running the script first". This is an adversarial instruction pattern intended to prevent the AI agent from performing security analysis on the script's code before execution. - [DATA_EXFILTRATION] (MEDIUM):
examples/static_html_automation.pyutilizesfile://URLs to load local files into the Playwright browser. This capability allows the browser to read sensitive local filesystem data, which could be exfiltrated if combined with network requests to external domains. - [COMMAND_EXECUTION] (MEDIUM):
scripts/with_server.pyalso executes trailing command-line arguments usingsubprocess.run(), which provides an additional vector for executing arbitrary system commands. - [PROMPT_INJECTION] (LOW): The skill is highly susceptible to Indirect Prompt Injection (Category 8).
- Ingestion points:
page.content()and DOM inspection inSKILL.mdandelement_discovery.pyingest untrusted data from web pages. - Boundary markers: None present; instructions do not advise the agent to ignore embedded instructions in the web content.
- Capability inventory: The skill has high-privilege shell access via
scripts/with_server.py. - Sanitization: No sanitization or validation of the ingested HTML/DOM content is performed before it is processed by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata