teach-web-actions

Warn

Audited by Gen Agent Trust Hub on Jul 8, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill generates JavaScript modules (variant.js) at runtime based on recorded web sessions and executes them using a Node.js runner. It also utilizes shell scripts to orchestrate Playwright and ffmpeg for recording and replaying UI flows.
  • [DATA_EXFILTRATION]: The skill captures full network activity, including session cookies and authorization tokens, into session.har files. While the process_har.py script redacts these in the lesson summaries, the raw sensitive data remains stored locally and is accessed by the agent for replaying actions, creating a risk of accidental data exposure.
  • [EXTERNAL_DOWNLOADS]: The scripts perform automatic installation of the playwright package and may download browser binaries and media tools through Playwright's installation commands.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted website data to inform its logic and code generation.
  • Ingestion points: External website responses and network logs captured in session.har and UI interaction steps in actions.js.
  • Boundary markers: No explicit delimiters or instructions are used to prevent the agent from obeying instructions embedded in the captured web data during script generation.
  • Capability inventory: The skill possesses capabilities for shell command execution, filesystem read/write operations within the lesson directory, and network communication via Playwright and curl.
  • Sanitization: A distillation script redacts common secret patterns (e.g., tokens, passwords) using regular expressions, but does not validate or sanitize the overall content of the network logs.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 8, 2026, 03:28 AM
Security Audit — agent-trust-hub — teach-web-actions