anthropic-webapp-testing
Warn
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/with_server.pyusessubprocess.Popenwithshell=Trueto execute command-line strings provided as arguments. It also usessubprocess.runto execute trailing commands. This allows for arbitrary shell command execution within the agent's environment. - [PROMPT_INJECTION]: The skill instructions in
SKILL.mdadvise the agent to avoid reading the source code of utility scripts ('DO NOT read the source until you try running the script first'), which functions as a concealment pattern. The skill also presents an indirect prompt injection surface through its primary function of processing external web content. - Ingestion points: Data from external web applications is ingested via Playwright using
page.content(),page.screenshot(), and element discovery tools. - Boundary markers: The skill does not implement delimiters or instructions to isolate untrusted web data from the agent's instruction context.
- Capability inventory: The agent is equipped with shell command execution tools (
scripts/with_server.py) and file system write access for logs and screenshots. - Sanitization: No content sanitization or instruction-filtering is applied to the data retrieved from web pages before it is processed by the agent.
Audit Metadata