browser-test
Pass
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands constructed from task variables, such as
{dev_server_command}and{task_id}. This pattern allows for command injection if these variables contain shell metacharacters and are sourced from untrusted task definitions.\n- [DYNAMIC_EXECUTION]: TypeScript test scripts (.spec.ts) and Playwright configuration files are generated at runtime by interpolating task-specific strings into templates. These scripts are subsequently executed, presenting a risk of arbitrary code execution if input strings like task titles or natural language steps are maliciously crafted to break out of string literals.\n- [INDIRECT_PROMPT_INJECTION]:\n - Ingestion points: The skill reads
browser_acceptanceJSON configuration (steps, name) and task metadata (task_id,task_title).\n - Boundary markers: There are no explicit delimiters or instructions to ignore embedded commands during the interpolation of these fields into script templates or shell commands.\n
- Capability inventory: The skill can perform file system writes (generating tests), shell execution (
npx,kill,npm), and network operations (via Playwright'spage.goto).\n - Sanitization: No sanitization or validation of user-provided strings is described before they are used in command lines or code generation.\n- [EXTERNAL_DOWNLOADS]: The skill checks for the presence of Playwright and suggests using
npm init playwright@latestif missing, which is a standard procedure for this tool but involves downloading external code.
Audit Metadata