🧪

監査履歴

webapp-testing - 4 監査

監査バージョン 4

最新 低リスク

Jan 16, 2026, 11:17 PM

Legitimate Playwright-based testing toolkit. All network connections are to localhost only. Filesystem writes target user-controlled directories (/tmp, /mnt/user-data/outputs). Subprocess usage in with_server.py is appropriate for local dev server management. Static findings are false positives triggered by documentation code examples, license text, and JSON field names.

7
スキャンされたファイル
844
解析された行数
4
検出結果
claude
監査者
低リスクの問題 (1)
Shell execution for local dev servers
with_server.py uses subprocess with shell=True to run user-provided server commands. This is necessary for the tool's purpose but allows arbitrary command execution. However, this is a local testing tool where the user provides their own commands.

監査バージョン 3

低リスク

Jan 16, 2026, 11:17 PM

Legitimate Playwright-based testing toolkit. All network connections are to localhost only. Filesystem writes target user-controlled directories (/tmp, /mnt/user-data/outputs). Subprocess usage in with_server.py is appropriate for local dev server management. Static findings are false positives triggered by documentation code examples, license text, and JSON field names.

7
スキャンされたファイル
844
解析された行数
4
検出結果
claude
監査者
低リスクの問題 (1)
Shell execution for local dev servers
with_server.py uses subprocess with shell=True to run user-provided server commands. This is necessary for the tool's purpose but allows arbitrary command execution. However, this is a local testing tool where the user provides their own commands.

監査バージョン 2

低リスク

Jan 6, 2026, 07:57 AM

Legitimate webapp testing toolkit using Playwright. Contains Python scripts that manage local dev servers and perform browser automation. Capabilities align with stated purpose. Risk factors are appropriate for a testing tool.

6
スキャンされたファイル
512
解析された行数
6
検出結果
claude
監査者
低リスクの問題 (2)
Shell execution in server management script
The with_server.py script uses subprocess.Popen with shell=True to execute user-provided server commands (lines 69-74). While this is necessary to support commands like 'cd backend && python server.py', it allows arbitrary shell command execution. An attacker who controls the command arguments could execute malicious commands. However, this is a local testing tool where the user provides their own commands.
Filesystem writes to user directories
Example scripts write screenshots and logs to /mnt/user-data/outputs and /tmp directories (static_html_automation.py:17, 29; element_discovery.py:37; console_logging.py:31). This is appropriate for a testing tool storing test artifacts.

監査バージョン 1

低リスク

Jan 6, 2026, 07:57 AM

Legitimate webapp testing toolkit using Playwright. Contains Python scripts that manage local dev servers and perform browser automation. Capabilities align with stated purpose. Risk factors are appropriate for a testing tool.

6
スキャンされたファイル
512
解析された行数
6
検出結果
claude
監査者
低リスクの問題 (2)
Shell execution in server management script
The with_server.py script uses subprocess.Popen with shell=True to execute user-provided server commands (lines 69-74). While this is necessary to support commands like 'cd backend && python server.py', it allows arbitrary shell command execution. An attacker who controls the command arguments could execute malicious commands. However, this is a local testing tool where the user provides their own commands.
Filesystem writes to user directories
Example scripts write screenshots and logs to /mnt/user-data/outputs and /tmp directories (static_html_automation.py:17, 29; element_discovery.py:37; console_logging.py:31). This is appropriate for a testing tool storing test artifacts.