webapp-testing
Warn
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/with_server.pyusessubprocess.Popenwithshell=Trueto execute commands provided via the--serverargument. This allows the execution of arbitrary shell strings, including command chaining (e.g.,cd backend && python server.py), which can be misused if input is not strictly controlled. - [COMMAND_EXECUTION]: The helper script
scripts/with_server.pyalso executes a trailing command (the automation script) usingsubprocess.runafter the defined servers are ready. - [PROMPT_INJECTION]: The
SKILL.mdfile contains instructions telling the agent "DO NOT read the source until you try running the script first." This pattern discourages the agent from inspecting or auditing the script's logic before execution, which is a concealment technique that reduces oversight. - [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it uses Playwright to navigate to and inspect web applications (
page.goto,page.content). Maliciously crafted web content could contain hidden instructions targeting the agent's logic. - Ingestion points: Data enters the agent's context through
page.content(),page.locator().all(), andinner_text()calls inexamples/element_discovery.pyandSKILL.md. - Boundary markers: Absent. The skill does not provide delimiters or warnings to the agent to disregard instructions found within the processed web data.
- Capability inventory: The agent has access to arbitrary shell execution via
scripts/with_server.py. - Sanitization: Absent. Web content is processed and displayed without escaping or validation.
Audit Metadata