tap-test
Pass
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill is primarily focused on improving test quality and includes extensive security documentation. It explicitly warns users about the risks of AI agents having write access to databases and provides actionable mitigations such as using read-only users, Claude Code hooks, and isolated environments.
- [COMMAND_EXECUTION]: The skill instructions define a process for generating test code that launches a local Fastify server (typically on port 3999) and executes HTTP requests using
fetch. This is standard behavior for integration testing tools. - [PROMPT_INJECTION]: The skill represents an indirect prompt injection surface as it analyzes local source code (handlers, routers, and database clients) to generate its output.
- Ingestion points: The 'Explore the project' step in
SKILL.mdreads project structure and handler files. - Boundary markers: No specific delimiters or 'ignore' instructions are mandated for the analyzed code.
- Capability inventory: The skill generates executable test scripts that can perform database queries and network operations via a local server.
- Sanitization: No explicit sanitization or validation of the ingested code snippets is described before they are incorporated into generated tests.
Audit Metadata