Trust Assessment
web-qa-bot received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 11 findings: 8 critical, 1 high, 1 medium, and 1 low severity. Key findings include Unpinned npm dependency version, Command Injection via URL parameter, Command Injection via Screenshot Filename.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings11
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via URL parameter The `Browser.exec` method constructs shell commands by joining arguments, including user-provided URLs, without proper sanitization. A malicious URL containing shell metacharacters (e.g., `http://example.com; rm -rf /`) can lead to arbitrary command execution. This affects the `smoke` command's URL argument and `run` command's `baseUrl` and `goto` steps in test suites. Sanitize all user-provided URL inputs before passing them to `Browser.exec`. Prefer using `child_process.spawn` with an array of arguments instead of `execSync` with a single command string, as `spawn` handles argument separation more securely. If `execSync` must be used, ensure all arguments are properly escaped for the shell. | LLM | src/browser.ts:60 | |
| CRITICAL | Command Injection via Screenshot Filename The `Browser.screenshot` method constructs a filepath using a user-provided `name` and then passes this path directly to `Browser.exec` for the `screenshot` command. If the `name` contains shell metacharacters (e.g., `my_screenshot; rm -rf /`), it can lead to arbitrary command execution. Sanitize the `name` parameter to remove or escape any shell metacharacters before constructing the `filepath`. Additionally, restrict the `screenshotDir` to a safe, non-user-controlled directory or validate it rigorously to prevent path traversal. | LLM | src/browser.ts:140 | |
| CRITICAL | Command Injection via Press Key Parameter The `Browser.press` method takes a user-provided `key` parameter and passes it directly to `Browser.exec` without any sanitization. If `key` contains shell metacharacters (e.g., `a; rm -rf /`), it can lead to arbitrary command execution. Sanitize the `key` parameter to remove or escape any shell metacharacters before passing it to `Browser.exec`. Prefer using `child_process.spawn` with an array of arguments for executing external commands. | LLM | src/browser.ts:172 | |
| CRITICAL | Path Traversal for Reading Suite Files The `runSuite` command in `src/cli.ts` takes a `suitePath` directly from user input (`positionals[1]`). This path is then resolved and used with `readFileSync`. A malicious user could provide a path like `../../../../etc/passwd` to read arbitrary files from the system. Validate and sanitize the `suitePath` to prevent path traversal. Ensure the path is within an expected directory (e.g., a dedicated 'tests' folder) and does not contain `..` segments or absolute paths outside the allowed scope. Use `path.normalize` and check against a base directory. | LLM | src/cli.ts:164 | |
| CRITICAL | Path Traversal for Reading Report Results The `report` command in `src/cli.ts` takes a `results` file path directly from user input (`positionals[1]`). This path is then used by `generateReportFromFile` (in `src/reporter.ts`) with `readFileSync`. A malicious user could provide a path like `../../../../etc/shadow` to read arbitrary files from the system. Validate and sanitize the `results` file path to prevent path traversal. Ensure the path is within an expected directory and does not contain `..` segments or absolute paths outside the allowed scope. | LLM | src/cli.ts:109 | |
| CRITICAL | Arbitrary File Write via Report Output Path The `report` command in `src/cli.ts` allows a user to specify an `output` file path (`-o` or `--output`). This path is directly used by `writeFileSync` in `src/reporter.ts` (for Markdown and JSON reports) and passed to `npx ai-pdf-builder` (for PDF reports). A malicious user could specify a path like `../../../../tmp/malicious.sh` to write arbitrary content to any location on the filesystem. Validate and sanitize the `output` file path to prevent path traversal. Restrict output files to a designated, secure directory (e.g., a temporary directory or a user-specific output folder) and ensure no `..` segments or absolute paths outside this scope are allowed. | LLM | src/cli.ts:109 | |
| CRITICAL | Command Injection via Company Name in PDF Generation The `generatePdf` method in `src/reporter.ts` constructs a shell command to execute `npx ai-pdf-builder`. The user-provided `company` name (from CLI options) is directly embedded into this command string without any sanitization. A malicious `company` name (e.g., `My Company" --evil-arg "$(rm -rf /)"`) can lead to arbitrary command execution. Sanitize the `company` name to remove or escape any shell metacharacters before embedding it in the `execSync` command. Alternatively, use a library or method that safely passes arguments to external processes without shell interpretation. | LLM | src/reporter.ts:209 | |
| CRITICAL | Command Injection via Output Path in PDF Generation The `generatePdf` method in `src/reporter.ts` constructs a shell command to execute `npx ai-pdf-builder`. The user-provided `options.output` path is directly embedded into this command string without any sanitization. A malicious `output` path (e.g., `report.pdf" --evil-arg "$(rm -rf /)"`) can lead to arbitrary command execution, in addition to the arbitrary file write risk. Sanitize the `options.output` path to remove or escape any shell metacharacters before embedding it in the `execSync` command. Additionally, enforce strict path validation to prevent path traversal and restrict output to designated directories. | LLM | src/reporter.ts:209 | |
| HIGH | Incomplete Sanitization for Type Text Command Injection The `Browser.type` method attempts to sanitize user-provided `text` by replacing double quotes (`.replace(/'/g, '\'')`) before embedding it in a shell command. However, this sanitization is incomplete and does not protect against other shell metacharacters (e.g., backticks, semicolons, newlines, dollar signs) that could still lead to command injection. Implement comprehensive shell escaping for all user-provided `text` before passing it to `Browser.exec`. A more robust solution is to use `child_process.spawn` with an array of arguments, which handles argument separation more securely and avoids the need for manual shell escaping. | LLM | src/browser.ts:166 | |
| MEDIUM | Unpinned npm dependency version Dependency 'yaml' is not pinned to an exact version ('^2.3.4'). Pin dependencies to exact versions to reduce drift and supply-chain risk. | Dependencies | skills/nextfrontierbuilds/web-qa-bot/package.json | |
| LOW | Unpinned Dependency Versions in package.json The `package.json` file specifies dependencies (`yaml: "^2.3.4"`) and peer dependencies (`agent-browser: ">=0.7.0"`) using version ranges (caret and greater-than-or-equal-to). While `package-lock.json` pins exact versions for this package's build, using ranges in `package.json` can lead to different versions being installed in other environments or by consumers of this skill, potentially introducing new vulnerabilities if a future version of a dependency contains a flaw. `agent-browser` is a peer dependency, so its version is ultimately controlled by the consuming project, but the range still allows for broad updates. Consider pinning exact versions for all direct dependencies in `package.json` to ensure consistent and predictable builds across all environments. For peer dependencies, while ranges are common, evaluate if a narrower range or a specific minimum version is more appropriate for security and compatibility. | LLM | package.json:39 |
Scan History
Embed Code
[](https://skillshield.io/report/8402cac80f741449)
Powered by SkillShield