dogfood

Fail

Audited by Gen Agent Trust Hub on Jun 19, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFEDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill directly interpolates the user-provided Target URL into a shell command (bunx playwright screenshot --full-page "{TARGET_URL}"). This poses a high risk of command injection, as a malicious user could provide a URL containing shell metacharacters to execute arbitrary code on the host machine.\n- [REMOTE_CODE_EXECUTION]: The skill uses bunx playwright, which downloads and executes the playwright package from the npm registry at runtime. While this is a well-known tool, executing unversioned remote code introduces a potential supply chain risk.\n- [CREDENTIALS_UNSAFE]: The workflow instructions direct the agent to handle sensitive user credentials, including typing email/password combinations and requesting/entering One-Time Passwords (OTPs) within the browser environment.\n- [EXTERNAL_DOWNLOADS]: The skill is designed to navigate to and download content from arbitrary external websites specified by the user as the Target URL.\n- [DATA_EXFILTRATION]: The skill presents a surface for Indirect Prompt Injection by reading and processing untrusted data from external websites and browser consoles.\n
  • Ingestion points: External web content retrieved via read_page, get_page_text, and read_console_messages in SKILL.md.\n
  • Boundary markers: No delimiters or isolation techniques are employed to separate external web data from the agent's internal logic or instructions.\n
  • Capability inventory: The agent has access to shell commands (mkdir, cp, bunx), file system writes, and interactive browser tools.\n
  • Sanitization: There is no evidence of sanitization, filtering, or validation of the content retrieved from external sources before it is interpreted by the agent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 19, 2026, 09:09 PM