webapp-testing
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Prompt Injection (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) because it uses autonomous agents to explore and interact with live web applications.\n
- Ingestion points: The Planner and Generator agents read the DOM and page content of target URLs (specified in references/planner-agent.md and references/generator-agent.md).\n
- Boundary markers: Absent. The instructions do not define clear delimiters or instruct the agent to ignore instructions embedded in the web application's UI or metadata.\n
- Capability inventory: The skill possesses the ability to write executable TypeScript files (tests/*.spec.ts) and run them via npx playwright test (Command Execution).\n
- Sanitization: Absent. The process of translating user flows from a website into code lacks sanitization for embedded LLM instructions.\n- Remote Code Execution (LOW): The setup instructions (SKILL.md, references/playwright-setup.md) direct the user to run npx -y @playwright/mcp@latest. This command downloads and executes code from a remote registry. While @playwright is a reputable namespace associated with Microsoft, the dynamic nature of npx with @latest presents a minor risk.\n- Command Execution (LOW): The skill workflow relies on executing shell commands to run tests and initialize agents (e.g., npx playwright test, npx playwright init-agents). While expected for the skill's purpose, this grants the agent significant control over the local environment.\n- External Downloads (LOW): Installation of @playwright/test is required. Per the [TRUST-SCOPE-RULE], these downloads from a trusted ecosystem (Microsoft/Playwright) are considered low risk in the context of the skill's intended use.
Audit Metadata