ziniao-page
Warn
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the
ziniao-clibinary to perform browser automation, system queries, and file operations. Notable commands include: ziniao-cli automation run: Executes complex sequences of browser interactions defined via JSON.ziniao-cli utility download: Writes arbitrary content to the local filesystem under the downloads directory.- [REMOTE_CODE_EXECUTION]: The skill provides the
page execcommand and anexecstep within theautomation runcommand, allowing the agent to execute arbitrary JavaScript code directly within the browser's context. This capability can be used to manipulate page state, bypass client-side security controls, or extract sensitive session information. - [DATA_EXFILTRATION]: Multiple commands facilitate the extraction of data from potentially sensitive browser sessions (e.g., Amazon Seller Central):
page contentandpage extract: Retrieve HTML, text, or structured data from the active page.page screenshot: Captures images of the viewport or full page, which can be saved to local paths via the--pathargument.- [PROMPT_INJECTION]: The skill exhibits a significant surface for Indirect Prompt Injection (Category 8):
- Ingestion points: Data enters the agent's context through
page content,page query, andpage extractoperations (found inSKILL.mdand related references). - Boundary markers: The instructions lack explicit boundary markers or warnings to the agent to disregard instructions embedded within the retrieved web content.
- Capability inventory: The agent has access to high-impact capabilities including arbitrary JavaScript execution (
page exec), form submission (page input), and file writing (utility download). - Sanitization: There is no evidence of sanitization or filtering of the retrieved web content before it is processed by the agent.
Audit Metadata