webapp-testing
Warn
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The utility script scripts/with_server.py allows for the execution of arbitrary shell commands provided as arguments.
- Evidence: In scripts/with_server.py, the --server argument is passed directly to subprocess.Popen with shell=True to support complex command strings (e.g., using && or cd).
- Evidence: The script also executes trailing command arguments using subprocess.run().
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes content from external web applications while having access to shell execution tools.
- Ingestion points: Web content is ingested into the agent's context through Playwright commands like page.goto() and page.content(), as shown in the examples.
- Boundary markers: The skill lacks explicit instructions or delimiters to warn the agent against following instructions embedded in the target web applications.
- Capability inventory: The presence of scripts/with_server.py provides the agent with a mechanism to execute shell commands.
- Sanitization: No validation or sanitization is performed on the commands before execution.
- [PROMPT_INJECTION]: The instructions in SKILL.md discourage the agent from reviewing the source code of utility scripts, which can bypass the agent's internal safety reasoning.
- Evidence: The markdown contains the instruction: 'DO NOT read the source until you try running the script first... These scripts can be very large and thus pollute your context window. They exist to be called directly as black-box scripts rather than ingested into your context window.'
Audit Metadata