dogfood
Fail
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill directly interpolates the user-provided
Target URLinto a shell command (bunx playwright screenshot --full-page "{TARGET_URL}"). This poses a high risk of command injection, as a malicious user could provide a URL containing shell metacharacters to execute arbitrary code on the host machine.\n- [REMOTE_CODE_EXECUTION]: The skill usesbunx playwright, which downloads and executes theplaywrightpackage from the npm registry at runtime. While this is a well-known tool, executing unversioned remote code introduces a potential supply chain risk.\n- [CREDENTIALS_UNSAFE]: The workflow instructions direct the agent to handle sensitive user credentials, including typing email/password combinations and requesting/entering One-Time Passwords (OTPs) within the browser environment.\n- [EXTERNAL_DOWNLOADS]: The skill is designed to navigate to and download content from arbitrary external websites specified by the user as theTarget URL.\n- [DATA_EXFILTRATION]: The skill presents a surface for Indirect Prompt Injection by reading and processing untrusted data from external websites and browser consoles.\n - Ingestion points: External web content retrieved via
read_page,get_page_text, andread_console_messagesin SKILL.md.\n - Boundary markers: No delimiters or isolation techniques are employed to separate external web data from the agent's internal logic or instructions.\n
- Capability inventory: The agent has access to shell commands (
mkdir,cp,bunx), file system writes, and interactive browser tools.\n - Sanitization: There is no evidence of sanitization, filtering, or validation of the content retrieved from external sources before it is interpreted by the agent.
Recommendations
- AI detected serious security threats
Audit Metadata