dogfood
Pass
Audited by Gen Agent Trust Hub on Apr 17, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it systematically navigates and interprets content from arbitrary web pages to find issues.
- Ingestion points: Untrusted data enters the agent context through page snapshots and browser console output retrieved via the
agent-browsertool (specifically inSKILL.mdduring the Orientation and Exploration phases). - Boundary markers: The instructions lack explicit delimiters or instructions to the model to ignore embedded commands within the target application's UI or content.
- Capability inventory: The skill possesses capabilities to execute shell commands (
mkdir,cp), perform file system writes (output directory management), and conduct extensive browser interactions (clicking, typing, and video recording). - Sanitization: No sanitization or filtering logic is applied to the web content before the agent processes it to decide on subsequent actions.
- [COMMAND_EXECUTION]: The skill relies on shell commands for environment initialization and tool orchestration.
- Execution method: Invokes
Bashto create directory structures and copy report templates. - Context: Orchestrates the
agent-browserCLI to automate browser sessions, which involves executing commands with parameters derived from the target application's state.
Audit Metadata