ansible-validator
Pass
Audited by Gen Agent Trust Hub on Mar 4, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of Bash and Python scripts to execute Ansible commands. Specifically,
scripts/validate_playbook.sh,scripts/validate_role.sh, andscripts/test_role.shinvokeansible-playbook,ansible-lint, andmoleculerespectively to process user-provided Ansible files. - [CREDENTIALS_UNSAFE]: Hardcoded credentials are present in the test suite.
test/playbooks/bad-playbook.ymlcontains a password string (hardcoded_password_123), andtest/roles/geerlingguy.mysql/defaults/main.ymlincludes default administrative credentials. These are used as test fixtures to verify that the validator's scanning tools (such asscripts/scan_secrets.sh) correctly identify insecure patterns. - [EXTERNAL_DOWNLOADS]: Several scripts (e.g.,
scripts/setup_tools.shandscripts/test_role.sh) automate the installation of validation tools from the Python Package Index (PyPI) and Ansible Galaxy. This includes packages likeansible-core,ansible-lint,checkov, andmolecule. These downloads are used to bootstrap the skill's environment. - [REMOTE_CODE_EXECUTION]: The
scripts/test_role.shandscripts/validate_playbook.shscripts create temporary Python virtual environments and executepip installto load required libraries at runtime. This behavior is documented and intended for environment readiness. - [SAFE]: The skill includes a copy of the well-known and trusted
geerlingguy.mysqlAnsible role for testing purposes. All external repository references (e.g., Jeff Geerling's GitHub) and package sources (PyPI) are well-known technology services.
Audit Metadata