web-clone
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFEPROMPT_INJECTIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection.
- Ingestion points: Untrusted data is ingested from external URLs provided in the
target_urlinput viabrowser_navigate,browser_snapshot, andbrowser_evaluatescripts as defined inSKILL.md. - Boundary markers: The skill does not define specific delimiters or instructions to ignore embedded commands when processing extracted DOM or accessibility content.
- Capability inventory: The agent utilizes browser automation tools (
browser_navigate,browser_click,browser_evaluate), state management (state_write), and shell command execution (npx serve,python3). - Sanitization: There is no explicit sanitization of the extracted web content before it is passed to the LLM for code generation.
- [REMOTE_CODE_EXECUTION]: The skill implements a workflow where code is generated from untrusted web content and subsequently executed in a local browser environment during the verification phase (Step 4). This could allow malicious scripts from the target website to execute locally.
- [COMMAND_EXECUTION]: The skill uses shell commands to host the generated clone locally for testing purposes using
npx serveorpython3 -m http.serveras documented inSKILL.md. - [EXTERNAL_DOWNLOADS]: The skill recommends downloading and configuring the
@playwright/mcppackage from the official npm registry. This is a well-known service and the dependency is required for the skill's core functionality.
Audit Metadata