web-to-prd
Warn
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes shell commands via the Bash tool to manage local file system state, specifically targeting lock files within the user's home directory to manage browser profiles (e.g.,
rm -f "$HOME/.playwright-profile/SingletonLock"). - [REMOTE_CODE_EXECUTION]: The skill involves the dynamic execution of remote code by instructing the agent to install and run MCP servers using
npx. This pattern fetches and executes packages such as@playwright/mcpandfirecrawl-mcpfrom the npm registry at runtime. - [DATA_EXFILTRATION]: The skill's core functionality involves crawling potentially authenticated web application sessions and exporting the extracted metadata and screenshots to an external service (Notion). This represents a managed data exfiltration path where sensitive application data is moved to a third-party cloud environment.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests untrusted data from external websites and processes it to generate structured documentation.
- Ingestion points: Raw web content, UI element text, and page snapshots retrieved via Playwright tools.
- Boundary markers: No explicit delimiters or instructions are provided to the agent to distinguish between crawled data and the skill's operational instructions.
- Capability inventory: Access to Bash, local file writing, web searching, and Notion API integration.
- Sanitization: The skill does not describe any sanitization or filtering of the retrieved web content before it is used for feature extraction and PRD generation.
Audit Metadata