qa-happy-path
Pass
Audited by Gen Agent Trust Hub on May 9, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill instructions require the agent to read sensitive configuration files, specifically
.env.qa, to retrieve credentials likeQA_TEST_USER_EMAILandQA_TEST_USER_PASSWORD. While this is a standard requirement for automated UI testing, the access to local environment files creates a risk surface where these credentials could be exfiltrated if the agent is successfully manipulated by external content or malicious instructions. - [PROMPT_INJECTION]: The agent is highly susceptible to indirect prompt injection because its primary function is to navigate to and process content from external web applications using tools like
mcp__playwright__browser_navigateandmcp__playwright__browser_snapshot. Maliciously crafted content on a target website could attempt to override the agent's instructions to perform unauthorized actions or leak the credentials it has loaded into its context. - Ingestion points: Content is ingested from web pages via
mcp__playwright__browser_navigate,mcp__playwright__browser_snapshot, andmcp__playwright__browser_network_requests. - Boundary markers: Absent. The skill does not provide instructions to the agent to treat page content as untrusted or to ignore embedded instructions within the UI or HTML.
- Capability inventory: The agent possesses powerful capabilities, including
mcp__playwright__browser_evaluate(which allows executing arbitrary JavaScript in the browser context),WebFetch, and the ability to interact with file systems and (potentially) issue trackers. - Sanitization: Absent. There are no mechanisms described for validating or filtering the data retrieved from the browser before the agent processes it or uses it to make decisions.
Audit Metadata