webapp-testing
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Command Execution] (MEDIUM): The script 'scripts/with_server.py' uses subprocess.Popen with shell=True to execute strings provided via command-line arguments. This allows for arbitrary shell command execution, which could be exploited if an attacker influences the arguments passed to the script.
- [Remote Code Execution] (MEDIUM): The skill's primary workflow involves the AI agent generating and executing its own Python Playwright scripts. This provides a direct path for arbitrary code execution within the agent's environment.
- [Prompt Injection] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) because it processes untrusted data from web applications. Evidence Chain: 1. Ingestion points: page.content(), inner_text(), and console messages (detected in 'examples/console_logging.py' and 'examples/element_discovery.py'). 2. Boundary markers: Absent; there are no instructions to isolate or treat web content as untrusted data. 3. Capability inventory: The skill can execute arbitrary shell commands via 'scripts/with_server.py' and write to the filesystem (detected in 'examples/static_html_automation.py'). 4. Sanitization: Absent; the skill does not sanitize or validate data retrieved from the browser before the agent processes it.
Audit Metadata