webapp-testing
Warn
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The helper script
scripts/with_server.pyusessubprocess.Popenwithshell=Trueto run server commands andsubprocess.runto execute trailing automation commands. This pattern is susceptible to command injection if the arguments provided to the script are derived from untrusted inputs.\n- [PROMPT_INJECTION]: Instructions inSKILL.mdexplicitly tell the agent not to read the source code of the scripts unless absolutely necessary. While this is framed as context management, it serves to prevent the agent from inspecting the underlying implementation of command execution and other capabilities.\n- [PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection due to the way it interacts with web content.\n - Ingestion points: In
examples/element_discovery.py, the agent is instructed to read DOM content and element text usingpage.content()andbutton.inner_text().\n - Boundary markers: No explicit delimiters or instructions to ignore embedded commands in the processed web data are present.\n
- Capability inventory: The skill can execute arbitrary shell commands via
scripts/with_server.pyand write files to the filesystem, such as logs inexamples/console_logging.py.\n - Sanitization: No evidence of sanitization or filtering of the content retrieved from web pages is present before the agent processes it for decision-making.
Audit Metadata