Fähigkeiten webapp-testing Audit-Verlauf
🧪

Audit-Verlauf

webapp-testing - 5 Audits

Audit-Version 5

Neueste Niedriges Risiko

Jan 16, 2026, 05:08 PM

Legitimate web testing toolkit using Playwright. Static findings are false positives: LICENSE.txt cryptographic warnings are standard legal text, subprocess usage is user-controlled for local dev servers, markdown backticks in SKILL.md are documentation formatting. No data exfiltration, credential theft, or persistence mechanisms detected.

7
Gescannte Dateien
814
Analysierte Zeilen
5
befunde
claude
Auditiert von
Probleme mit mittlerem Risiko (1)
scripts/with_server.py:69-74
Shell execution with user-controlled commands
with_server.py uses subprocess.Popen with shell=True to execute server commands provided via CLI. This is intentional for supporting compound shell commands. Commands are user-provided for local development.

Risikofaktoren

⚡ Enthält Skripte (1)
scripts/with_server.py:1-106
🌐 Netzwerkzugriff (1)
examples/console_logging.py:5
📁 Dateisystemzugriff (1)
examples/element_discovery.py:37-38
⚙️ Externe Befehle (1)
scripts/with_server.py:69-74

Audit-Version 4

Niedriges Risiko

Jan 16, 2026, 05:08 PM

Legitimate web testing toolkit using Playwright. Static findings are false positives: LICENSE.txt cryptographic warnings are standard legal text, subprocess usage is user-controlled for local dev servers, markdown backticks in SKILL.md are documentation formatting. No data exfiltration, credential theft, or persistence mechanisms detected.

7
Gescannte Dateien
814
Analysierte Zeilen
5
befunde
claude
Auditiert von
Probleme mit mittlerem Risiko (1)
scripts/with_server.py:69-74
Shell execution with user-controlled commands
with_server.py uses subprocess.Popen with shell=True to execute server commands provided via CLI. This is intentional for supporting compound shell commands. Commands are user-provided for local development.

Risikofaktoren

⚡ Enthält Skripte (1)
scripts/with_server.py:1-106
🌐 Netzwerkzugriff (1)
examples/console_logging.py:5
📁 Dateisystemzugriff (1)
examples/element_discovery.py:37-38
⚙️ Externe Befehle (1)
scripts/with_server.py:69-74

Audit-Version 3

Mittleres Risiko

Jan 10, 2026, 10:40 AM

This skill provides legitimate web testing functionality using Playwright. It includes a server management script that executes user-provided shell commands for starting local development servers. The shell=True usage in subprocess is a known security concern but is intentional for supporting compound shell commands like 'cd backend && python server.py'. No credential theft, data exfiltration, or persistence mechanisms detected.

6
Gescannte Dateien
456
Analysierte Zeilen
5
befunde
claude
Auditiert von
Probleme mit mittlerem Risiko (1)
scripts/with_server.py:69-74
Shell command execution with user input
The with_server.py script uses subprocess.Popen with shell=True to execute server commands provided via command-line arguments. While this is intentional for supporting compound shell commands (e.g., 'cd backend && python server.py'), shell=True combined with user input is a known security concern. An attacker who controls the command arguments could potentially execute arbitrary commands. Relevant code (scripts/with_server.py:69-74): ```python process = subprocess.Popen( server['cmd'], shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE ) ``` This is mitigated by: (1) commands come from the user's own arguments, (2) the skill is designed for local development server management, (3) no remote execution vector exists.

Risikofaktoren

⚡ Enthält Skripte (1)
scripts/with_server.py:1-106
🌐 Netzwerkzugriff (3)
scripts/with_server.py:23-32 examples/element_discovery.py:10-11 examples/console_logging.py:5
📁 Dateisystemzugriff (4)
examples/static_html_automation.py:6-7 examples/static_html_automation.py:17-29 examples/element_discovery.py:37-38 examples/console_logging.py:31-32
⚙️ Externe Befehle (2)
scripts/with_server.py:69-74 scripts/with_server.py:88

Audit-Version 2

Mittleres Risiko

Jan 10, 2026, 10:40 AM

This skill provides legitimate web testing functionality using Playwright. It includes a server management script that executes user-provided shell commands for starting local development servers. The shell=True usage in subprocess is a known security concern but is intentional for supporting compound shell commands like 'cd backend && python server.py'. No credential theft, data exfiltration, or persistence mechanisms detected.

6
Gescannte Dateien
456
Analysierte Zeilen
5
befunde
claude
Auditiert von
Probleme mit mittlerem Risiko (1)
scripts/with_server.py:69-74
Shell command execution with user input
The with_server.py script uses subprocess.Popen with shell=True to execute server commands provided via command-line arguments. While this is intentional for supporting compound shell commands (e.g., 'cd backend && python server.py'), shell=True combined with user input is a known security concern. An attacker who controls the command arguments could potentially execute arbitrary commands. Relevant code (scripts/with_server.py:69-74): ```python process = subprocess.Popen( server['cmd'], shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE ) ``` This is mitigated by: (1) commands come from the user's own arguments, (2) the skill is designed for local development server management, (3) no remote execution vector exists.

Risikofaktoren

⚡ Enthält Skripte (1)
scripts/with_server.py:1-106
🌐 Netzwerkzugriff (3)
scripts/with_server.py:23-32 examples/element_discovery.py:10-11 examples/console_logging.py:5
📁 Dateisystemzugriff (4)
examples/static_html_automation.py:6-7 examples/static_html_automation.py:17-29 examples/element_discovery.py:37-38 examples/console_logging.py:31-32
⚙️ Externe Befehle (2)
scripts/with_server.py:69-74 scripts/with_server.py:88

Audit-Version 1

Mittleres Risiko

Jan 10, 2026, 10:40 AM

This skill provides legitimate web testing functionality using Playwright. It includes a server management script that executes user-provided shell commands for starting local development servers. The shell=True usage in subprocess is a known security concern but is intentional for supporting compound shell commands like 'cd backend && python server.py'. No credential theft, data exfiltration, or persistence mechanisms detected.

6
Gescannte Dateien
456
Analysierte Zeilen
5
befunde
claude
Auditiert von
Probleme mit mittlerem Risiko (1)
scripts/with_server.py:69-74
Shell command execution with user input
The with_server.py script uses subprocess.Popen with shell=True to execute server commands provided via command-line arguments. While this is intentional for supporting compound shell commands (e.g., 'cd backend && python server.py'), shell=True combined with user input is a known security concern. An attacker who controls the command arguments could potentially execute arbitrary commands. Relevant code (scripts/with_server.py:69-74): ```python process = subprocess.Popen( server['cmd'], shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE ) ``` This is mitigated by: (1) commands come from the user's own arguments, (2) the skill is designed for local development server management, (3) no remote execution vector exists.

Risikofaktoren

⚡ Enthält Skripte (1)
scripts/with_server.py:1-106
🌐 Netzwerkzugriff (3)
scripts/with_server.py:23-32 examples/element_discovery.py:10-11 examples/console_logging.py:5
📁 Dateisystemzugriff (4)
examples/static_html_automation.py:6-7 examples/static_html_automation.py:17-29 examples/element_discovery.py:37-38 examples/console_logging.py:31-32
⚙️ Externe Befehle (2)
scripts/with_server.py:69-74 scripts/with_server.py:88
← Zurück zum Skill