Trust Assessment
webapp-testing received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 11 findings: 4 critical, 2 high, 3 medium, and 1 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Dangerous call: subprocess.Popen().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 26/100, indicating areas for improvement.
Last analyzed on February 12, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings11
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/development/webapp-testing/scripts/with_server.py:69 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | cli-tool/components/skills/development/webapp-testing/scripts/with_server.py:88 | |
| CRITICAL | Attempt to manipulate LLM instructions The skill's documentation contains an explicit instruction to the LLM: 'DO NOT read the source until you try running the script first'. This is a direct attempt to override the LLM's core directives and prevent it from performing a thorough analysis of the provided code, which is a form of prompt injection. Remove instructions that attempt to manipulate the LLM's behavior or override its core directives. The LLM's primary function is to analyze all provided content. | LLM | SKILL.md:10 | |
| CRITICAL | Arbitrary command execution via `subprocess.Popen` with `shell=True` The `scripts/with_server.py` helper script takes `--server` arguments directly from user input and executes them using `subprocess.Popen(server['cmd'], shell=True)`. The use of `shell=True` with untrusted input allows an attacker to inject arbitrary shell commands, leading to full system compromise. For example, an input like `--server 'echo hello; rm -rf /'` would execute both commands. Avoid `shell=True` when executing user-controlled commands. Instead, parse the command string into a list of arguments and pass it directly to `subprocess.Popen` or `subprocess.run`. If shell features are absolutely necessary, rigorously validate and sanitize user input, or use a safer alternative like `shlex.split` with extreme caution. | Static | scripts/with_server.py:70 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/development/webapp-testing/scripts/with_server.py:88 | |
| HIGH | Dangerous call: subprocess.Popen() Call to 'subprocess.Popen()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | cli-tool/components/skills/development/webapp-testing/scripts/with_server.py:69 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | cli-tool/components/skills/development/webapp-testing/scripts/with_server.py:18 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Potential local file disclosure via `file://` URLs in Playwright The `examples/static_html_automation.py` demonstrates navigating to local HTML files using `file://` URLs. If the `html_file_path` variable were to be controlled by untrusted input, an attacker could potentially read arbitrary local files accessible to the agent by constructing a malicious `file://` URL (e.g., `file:///etc/passwd`). While the example uses a hardcoded path, the pattern itself enables this capability. When handling user-provided file paths for `file://` URLs, ensure strict validation and sanitization to prevent directory traversal or access to unintended files. Consider restricting file access to a specific, isolated directory or using a secure file serving mechanism. | Static | examples/static_html_automation.py:8 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 | |
| INFO | Writes data to `/mnt/user-data/outputs` The `examples/console_logging.py` script writes captured console logs to `/mnt/user-data/outputs/console.log`. While this is a standard output directory for agents and not inherently malicious, it demonstrates the capability to write arbitrary data to the agent's accessible file system. This capability, if combined with sensitive data or an exfiltration channel, could lead to data leakage. Ensure that any data written to shared or accessible directories is not sensitive or is appropriately sanitized. Implement strict access controls on output directories. | Static | examples/console_logging.py:27 |
Scan History
Embed Code
[](https://skillshield.io/report/814db3ac8496db31)
Powered by SkillShield