teach-web-actions
Warn
Audited by Gen Agent Trust Hub on Jul 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill generates JavaScript modules (
variant.js) at runtime based on recorded web sessions and executes them using a Node.js runner. It also utilizes shell scripts to orchestrate Playwright and ffmpeg for recording and replaying UI flows. - [DATA_EXFILTRATION]: The skill captures full network activity, including session cookies and authorization tokens, into
session.harfiles. While theprocess_har.pyscript redacts these in the lesson summaries, the raw sensitive data remains stored locally and is accessed by the agent for replaying actions, creating a risk of accidental data exposure. - [EXTERNAL_DOWNLOADS]: The scripts perform automatic installation of the
playwrightpackage and may download browser binaries and media tools through Playwright's installation commands. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it processes untrusted website data to inform its logic and code generation.
- Ingestion points: External website responses and network logs captured in
session.harand UI interaction steps inactions.js. - Boundary markers: No explicit delimiters or instructions are used to prevent the agent from obeying instructions embedded in the captured web data during script generation.
- Capability inventory: The skill possesses capabilities for shell command execution, filesystem read/write operations within the lesson directory, and network communication via Playwright and curl.
- Sanitization: A distillation script redacts common secret patterns (e.g., tokens, passwords) using regular expressions, but does not validate or sanitize the overall content of the network logs.
Audit Metadata