webapp-testing
Warn
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The helper script
scripts/with_server.pyexecutes arbitrary commands provided via the--serverargument usingsubprocess.Popenwithshell=True. This allows for shell metacharacter injection and execution of unintended system commands. - [PROMPT_INJECTION]: The skill instructions in
SKILL.mdexplicitly direct the agent to avoid reading the source code of its own scripts ("DO NOT read the source until you try running the script first"), which is a deceptive pattern used to bypass security reviews of potentially malicious logic. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection when testing web applications. \n
- Ingestion points: The skill reads external data from web pages and browser logs in
examples/element_discovery.pyandexamples/console_logging.pyusingpage.content(),inner_text(), and console event listeners. \n - Boundary markers: No boundary markers or specific instructions are provided to ignore or sanitize embedded commands within the ingested data. \n
- Capability inventory: The skill can execute arbitrary system commands via
scripts/with_server.pyand write to the filesystem. \n - Sanitization: The skill lacks any mechanism to sanitize or validate webpage content before it is processed by the agent.
Audit Metadata