Trust Assessment
webapp-testing received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 8 findings: 3 critical, 3 high, 2 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Dangerous call: subprocess.Popen().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 40/100, indicating areas for improvement.
Last analyzed on February 20, 2026 (commit 27904475). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings8
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | webapp-testing/scripts/with_server.py:69 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | webapp-testing/scripts/with_server.py:88 | |
| CRITICAL | Arbitrary Command Execution via subprocess.Popen with shell=True The `scripts/with_server.py` script uses `subprocess.Popen` with `shell=True` and directly passes user-provided server commands (`server['cmd']`). This allows an attacker to inject arbitrary shell commands by crafting malicious input for the `--server` argument, leading to full system compromise. For example, an input like `--server 'rm -rf / && npm run dev'` would attempt to delete the root directory before starting the npm development server. Avoid `shell=True` when executing external commands with user-controlled input. Instead, parse the command string into a list of arguments and pass it directly to `subprocess.Popen` or `subprocess.run` without `shell=True`. If shell features are absolutely necessary, sanitize or strictly validate the input to ensure only expected commands and arguments are executed. Consider using `shlex.split()` to safely split the command string into a list of arguments, but even then, `shell=True` should be avoided if possible. | LLM | scripts/with_server.py:70 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | webapp-testing/scripts/with_server.py:88 | |
| HIGH | Dangerous call: subprocess.Popen() Call to 'subprocess.Popen()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | webapp-testing/scripts/with_server.py:69 | |
| HIGH | Skill designed for arbitrary command execution The `webapp-testing` skill, particularly through `scripts/with_server.py`, is explicitly designed to execute arbitrary shell commands provided by the user (or the agent) for setting up web servers. While this is the intended functionality for testing web applications that require server setup, it grants the agent broad permissions to execute any command on the host system. This capability, if misused or exploited, poses a significant security risk. Acknowledge and document the high-risk nature of this skill. Implement strict input validation and sandboxing mechanisms if possible. Ensure that the agent using this skill is highly trusted and that its prompts are carefully controlled to prevent malicious command generation. Consider restricting the types of commands that can be executed or running them in a more isolated environment. | LLM | scripts/with_server.py:1 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | webapp-testing/scripts/with_server.py:18 | |
| MEDIUM | Potential for Local File Disclosure via file:// URL in Playwright The `examples/static_html_automation.py` demonstrates loading local files using `file://` URLs. If the agent is instructed to load a sensitive local file (e.g., `/etc/passwd`, configuration files, or user data) into the Playwright browser context, the content of that file could then be extracted by the agent using `page.content()` or similar methods, leading to data exfiltration. Implement strict validation or sandboxing for file paths provided to the `file://` URL mechanism. Restrict access to only designated safe directories or explicitly disallow loading arbitrary local files if not strictly necessary for the skill's core function. Ensure that the agent is not prompted to load sensitive files. | LLM | examples/static_html_automation.py:7 |
Scan History
Embed Code
[](https://skillshield.io/report/dd9b1f38953b39d2)
Powered by SkillShield