webapp-testing
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script 'scripts/with_server.py' utilizes 'subprocess.Popen(shell=True)' to execute commands provided via the '--server' argument, which can be used to run arbitrary shell instructions.\n- [REMOTE_CODE_EXECUTION]: The skill encourages a workflow where the agent generates and executes local Python scripts (Playwright automations) at runtime, which is a form of dynamic code execution.\n- [PROMPT_INJECTION]: The documentation in 'SKILL.md' explicitly instructs the agent 'DO NOT read the source until you try running the script first', which discourages source code inspection and safety verification before execution.\n- [PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it processes untrusted data from web applications:\n
- Ingestion points: 'examples/element_discovery.py' (lines 15-35) reads DOM content and attributes; 'examples/console_logging.py' (lines 14-17) captures browser console messages.\n
- Boundary markers: No delimiters or safety instructions are used to separate untrusted web data from the agent's command context.\n
- Capability inventory: 'scripts/with_server.py' (lines 74-83) executes shell commands via 'subprocess'; Playwright scripts have filesystem access for screenshots and logs.\n
- Sanitization: There is no evidence of sanitization or validation for the data retrieved from the web applications before it influences agent logic.
Audit Metadata