Security Audit
snyk/agent-scan:tests/skills/webapp-testing
github.com/snyk/agent-scanTrust Assessment
snyk/agent-scan:tests/skills/webapp-testing received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 9 findings: 3 critical, 4 high, 2 medium, and 0 low severity. Key findings include Arbitrary command execution, Dangerous call: subprocess.run(), Dangerous call: subprocess.Popen().
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on March 1, 2026 (commit 30a672c5). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings9
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | tests/skills/webapp-testing/scripts/with_server.py:79 | |
| CRITICAL | Arbitrary command execution Python shell execution (os.system, subprocess) Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands. | Manifest | tests/skills/webapp-testing/scripts/with_server.py:93 | |
| CRITICAL | Command Injection via shell=True in subprocess.Popen The `scripts/with_server.py` script uses `subprocess.Popen` with `shell=True` to execute user-provided server commands. This allows an attacker to inject arbitrary shell commands by crafting malicious input for the `--server` argument, leading to remote code execution on the host system. Avoid using `shell=True` with user-controlled input. Instead, parse the command and its arguments using `shlex.split()` and pass them as a list to `subprocess.Popen` without `shell=True`. For complex commands involving `cd` or `&&`, consider alternative approaches like changing the current working directory before execution or using a dedicated script. | Static | scripts/with_server.py:70 | |
| HIGH | Dangerous call: subprocess.run() Call to 'subprocess.run()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | tests/skills/webapp-testing/scripts/with_server.py:93 | |
| HIGH | Dangerous call: subprocess.Popen() Call to 'subprocess.Popen()' detected in function 'main'. This can execute arbitrary code. Avoid using dangerous functions like exec/eval/os.system. Use safer alternatives. | Static | tests/skills/webapp-testing/scripts/with_server.py:79 | |
| HIGH | Data Exfiltration via console log file The `examples/console_logging.py` script writes captured browser console logs directly to `/mnt/user-data/outputs/console.log`. Console logs can contain sensitive information such as API keys, user data, debugging messages, or error details. Writing this data to a shared output directory creates a channel for data exfiltration. Avoid writing potentially sensitive console logs to shared or easily accessible directories. If logging is necessary, sanitize the logs to remove sensitive information, or prompt the user for an explicit, non-default output path and consent before writing. | Static | examples/console_logging.py:30 | |
| HIGH | Data Exfiltration via screenshots to shared output directory The `examples/static_html_automation.py` script saves screenshots of the web page to `/mnt/user-data/outputs/static_page.png` and `/mnt/user-data/outputs/after_submit.png`. Screenshots can capture sensitive information displayed on the page, such as form data, personal details, or internal application states. Writing these to a shared output directory creates a channel for data exfiltration. Avoid writing potentially sensitive screenshots to shared or easily accessible directories. If screenshots are necessary, prompt the user for an explicit, non-default output path and consent, or implement mechanisms to redact sensitive areas of the screenshot. | Static | examples/static_html_automation.py:20 | |
| MEDIUM | Suspicious import: socket Import of 'socket' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration. | Static | tests/skills/webapp-testing/scripts/with_server.py:18 | |
| MEDIUM | Excessive Permissions: Local file access via file:// URLs The `examples/static_html_automation.py` script constructs a `file://` URL from a user-provided file path (`html_file_path = os.path.abspath("path/to/your/file.html")`). An attacker could manipulate the agent to provide a path to a sensitive local file (e.g., `/etc/passwd`, user data files). While Playwright's browser context has some sandboxing, loading arbitrary local files into the browser can expose their content to the agent via `page.content()` or screenshots, potentially leading to information disclosure. Restrict the `file://` URL functionality to a specific, non-sensitive directory, or require explicit user confirmation for any file path that is not within a designated safe zone. Consider if direct local file access is truly necessary for the skill's intended purpose. | Static | examples/static_html_automation.py:6 |
Scan History
Embed Code
[](https://skillshield.io/report/a0df3e9695099639)
Powered by SkillShield