testing-ci
Pass
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Fetches a bash script from the official domain of Codecov, a well-known service, for coverage reporting purposes.
- [REMOTE_CODE_EXECUTION]: Executes the bash script retrieved from Codecov within the CI environment.
- [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface due to its consumption of untrusted test output data.
- Ingestion points: Reads and parses JUnit XML and Allure reports (e.g.,
junit.xml,allure-results.xml) to identify flaky tests. - Boundary markers: No specific delimiters or instructions are used to separate untrusted report content from the agent's logic.
- Capability inventory: Capable of dispatching workflows, triggering runs, and executing shell commands via the OpenClaw CLI.
- Sanitization: There is no evidence of sanitization or validation of the content within the XML reports before they are processed by the skill.
Audit Metadata