webapp-testing
Warn
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The helper script
scripts/with_server.pyusessubprocess.Popenwithshell=Trueto execute commands passed to the--serverargument. While this supports shell features like command chaining (&&), it creates a risk of command injection if the agent is manipulated into passing malicious strings. - [PROMPT_INJECTION]: The
SKILL.mdfile contains instructions that discourage the agent from reading the source code of the provided scripts ("DO NOT read the source until you try running the script first"). This behavior, intended to save context space, prevents the agent from performing a safety check on the code it is about to execute. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it is designed to interact with and extract data from web pages. An attacker could embed malicious instructions in a website's HTML, metadata, or console logs to influence the agent's behavior.
- Ingestion points: Data is ingested via
page.content(),page.locator().all(), and browser console logs inexamples/console_logging.py. - Boundary markers: The instructions do not define boundary markers to separate untrusted web content from the agent's internal logic.
- Capability inventory: The agent has the capability to execute arbitrary shell commands via
scripts/with_server.pyand write files to the local system. - Sanitization: There is no evidence of sanitization or validation of the data retrieved from the browser before it is processed or used to make decisions.
Audit Metadata