director
Warn
Audited by Gen Agent Trust Hub on Apr 30, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The video conversion helper scripts provided in
references/playwright-config.md(convertToMp4andconvertToGif) use Node.jsexecSyncto runffmpegcommands. The file paths passed to these commands are derived fromtestInfo.titleand only sanitized for whitespace (replace(/\s+/g, '_')). Shell metacharacters such as;,&, and$()are not sanitized, creating a command injection vulnerability if an attacker can influence the test or feature title. - [EXTERNAL_DOWNLOADS]: The skill's CI/CD documentation in
references/playwright-config.mdincludes commands to download and install Playwright browsers and system dependencies (npx playwright install,apt-get install -y ffmpeg). While these target standard package registries and official repositories, they represent an external dependency vector. - [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted content in the form of existing Playwright tests and user-provided feature descriptions to generate scenarios.
- Ingestion points:
SKILL.mdandreferences/scenario-guidelines.mdspecify reading existing tests and user stories at the planning phase. - Boundary markers: The workflow utilizes a structured
Script → Stage → Shoot → Deliverprocess which provides natural check-points, though it lacks explicit "ignore instructions" delimiters for ingested code. - Capability inventory: The skill has access to the filesystem (via
fsandexecSync) and network (via Playwright's API request context and browser automation). - Sanitization: No robust sanitization or escaping is performed on the ingested content before it is interpolated into test code or shell command arguments.
Audit Metadata