webapp-testing
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/with_server.pyutilizessubprocess.Popen(shell=True)andsubprocess.run()to execute strings provided as command-line arguments. This architecture allows for the execution of arbitrary system commands, posing a critical risk if an attacker can influence the inputs provided to the agent. - [PROMPT_INJECTION]: Instructions in
SKILL.mdexplicitly state 'DO NOT read the source until you try running the script first'. This directive discourages the agent from performing a security review of the helper scripts before execution, which is a common concealment tactic that could mask malicious behavior within the scripts. - [PROMPT_INJECTION]: The skill possesses a surface for indirect prompt injection by ingesting untrusted data from external websites:
- Ingestion points: Data enters the context through
page.content(),page.locator().all(), and console logs captured inexamples/element_discovery.pyandexamples/console_logging.py. - Boundary markers: There are no markers or instructions provided to the agent to ignore embedded commands in the processed HTML or console logs.
- Capability inventory: The skill provides high-privilege capabilities via
scripts/with_server.py, which performs arbitrary subprocess calls and shell command execution. - Sanitization: There is no evidence of sanitization, escaping, or validation of the external content before it is processed or used to influence subsequent agent actions.
Audit Metadata