webapp-testing
Warn
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DYNAMIC_EXECUTION]: The script scripts/with_server.py uses subprocess.Popen with shell=True to execute commands provided via the --server argument. This allows for execution of arbitrary shell commands with shell features like pipe and command chaining, which is risky if inputs are not strictly controlled. Evidence: scripts/with_server.py line 92 uses shell=True.
- [PROMPT_INJECTION]: The SKILL.md documentation explicitly instructs the agent to treat scripts as black boxes and avoid reading their source code. This is a behavioral override that prevents the agent from performing security reviews of the code it executes. Evidence: SKILL.md contains the instruction 'Use bundled scripts as black boxes; run --help first, don't read source'.
- [INDIRECT_PROMPT_INJECTION]: The skill automates browsers to read content from arbitrary web pages, creating a surface for injection. * Ingestion points: Web page content (DOM, console logs) is read into the context via page.content() and page.locator().all() in example scripts. * Boundary markers: None identified in instructions or scripts. * Capability inventory: The skill can execute shell commands and write files. * Sanitization: No evidence of sanitization or filtering of ingested content before processing by the agent.
Audit Metadata