aiden-test-feature
Pass
Audited by Gen Agent Trust Hub on May 1, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill installs the
agent-browserpackage from the npm registry if it is not already available. This tool is developed by Vercel Labs, which is recognized as a well-known technology provider. - [COMMAND_EXECUTION]: The skill executes shell commands to identify and start development servers based on project metadata (e.g.,
npm run dev,docker compose up). It also uses theagent-browserCLI for automated browser interactions like clicking and filling forms. - [DATA_EXFILTRATION]: Captured screenshots and videos are uploaded to S3. The destination URL is provided by a platform-specific MCP tool (
mcp__aiden__get_upload_url), which is the standard and intended method for this skill's reporting functionality. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests and acts upon untrusted data from the project repository. Specifically, it reads
package.jsonand other configuration files to determine which commands to run to start the application. If an attacker provides a malicious repository, these scripts could execute arbitrary commands. - Ingestion points: Project configuration files such as
package.json,Makefile, anddocker-compose.yml, as well asgit diffoutput. - Boundary markers: Absent; the skill does not wrap these inputs in delimiters or instruct the agent to ignore instructions within them.
- Capability inventory: Bash shell execution, background process management, network uploads via MCP tools, and file system access within
/tmp. - Sanitization: None; scripts extracted from project files are executed directly in the shell.
Audit Metadata