webapp-testing
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (MEDIUM): The SKILL.md file contains a meta-instruction ('DO NOT read the source until you try running the script first') that explicitly attempts to bypass the agent's security auditing behavior. This is a deceptive directive designed to prevent inspection of the skill's logic.
- COMMAND_EXECUTION (MEDIUM): The script 'scripts/with_server.py' uses 'subprocess.Popen' with 'shell=True' to execute commands provided via CLI arguments. This allows for arbitrary command execution on the host system based on strings generated by the agent.
- Indirect Prompt Injection Surface (LOW): The skill implements a 'Reconnaissance-Then-Action' pattern that ingests rendered DOM content via 'page.content()'. Evidence: 1. Ingestion points: page.content() and page.locator() in element_discovery.py; 2. Boundary markers: Absent; 3. Capability inventory: Subprocess execution and shell command spawning in with_server.py; 4. Sanitization: Absent. This creates a surface where malicious instructions embedded in a web page could influence the agent's logic.
Audit Metadata