The Agent Skills Directory

[COMMAND_EXECUTION]: The skill performs dynamic code execution through its automated testing pipeline.
Evidence: The Executor role (role-specs/executor.md) runs test suites using system commands such as npx vitest, npx jest, python -m pytest, and npx mocha based on the detected framework.
Evidence: The Generator role (role-specs/generator.md) creates and modifies test files at runtime using Write and Edit tools.
Context: While this is a core requirement for a QA tool, executing code generated by an AI based on existing codebase content inherently carries risk.
[PROMPT_INJECTION]: The skill's architecture is vulnerable to indirect prompt injection attacks.
Ingestion points: The Scout role (role-specs/scout.md) and Generator role (role-specs/generator.md) read source code files, git diffs, and external CLI tool outputs to determine their actions.
Boundary markers: The skill lacks explicit delimiters or "ignore embedded instructions" warnings when processing the contents of source files during the generation phase.
Capability inventory: The skill possesses extensive capabilities including Bash(*), Write(*), Edit(*), and the ability to spawn further agents via Agent(*).
Sanitization: Although the Generator role performs syntax checks (e.g., tsc --noEmit), it does not sanitize the logical content of generated tests for potentially malicious commands that could be triggered during execution.
[EXTERNAL_DOWNLOADS]: The skill references well-known testing frameworks and internal tools.
Evidence: It utilizes npx to invoke vitest, jest, and mocha as part of the standard testing workflow.
Evidence: It uses ccw cli which appears to be a specialized internal tool for triggering secondary analysis tasks via Gemini.

team-quality-assurance