Security Audit

webapp-testing

github.com/skillcreatorai/Ai-Agent-Skills

AI SkillCommit 6195a031c29c

TRUSTED

Scanned 9 days ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

webapp-testing received a trust score of 89/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 0 high, 2 medium, and 0 low severity. Key findings include Potential Data Exfiltration via Screenshots, Potential Data Exfiltration via Console and Error Logs.

The analysis covered 4 layers: dependency_graph, manifest_analysis, llm_behavioral_safety, static_code_analysis. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 11, 2026 (commit 6195a031). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

86%

Behavioral Risk Signals

Filesystem Write

1 finding

Security Findings2

Severity	Finding	Layer	Location
MEDIUM	Potential Data Exfiltration via Screenshots The skill demonstrates the use of `page.screenshot()` which can capture the full content of a web page, including potentially sensitive data (e.g., PII, credentials, internal application state). If the agent is instructed to test a sensitive application and has the ability to save and subsequently exfiltrate these generated image files, it could lead to data leakage. Ensure that the agent's execution environment is strictly sandboxed, limiting file system access and preventing unauthorized exfiltration of generated files. Implement policies for handling and sanitizing screenshots of sensitive data, especially when testing applications that process confidential information.	Unknown	SKILL.md:69
MEDIUM	Potential Data Exfiltration via Console and Error Logs The skill demonstrates capturing browser console messages and page errors using `page.on('console', ...)` and `page.on('pageerror', ...)`. These logs can contain sensitive information (e.g., debugging data, API responses, error details) from the web application. If the agent's standard output/error streams are captured and transmitted, this could lead to data leakage. Ensure that the agent's execution environment captures and processes standard output/error securely, sanitizing or redacting sensitive information before storage or transmission. Limit the agent's ability to log arbitrary data to external systems and review the content of console logs for sensitive information.	Unknown	SKILL.md:77

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/f4d9216c0e098fe8.svg)](https://skillshield.io/report/f4d9216c0e098fe8)