test-coverage
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Shell tool to run test frameworks (Vitest, Jest) and search files using grep. It also executes dynamic logic via node -e to parse coverage summaries.
- [EXTERNAL_DOWNLOADS]: The skill installs Node.js packages such as @vitest/coverage-v8 and other dependencies identified during test runs via pnpm. This introduces a potential supply chain risk if the agent is misled by malicious error messages into installing unauthorized packages.
- [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection as it processes code and configuration files from the repository. * Ingestion points: Reads package.json, config files, and all source/test files in the src directory. * Boundary markers: No delimiters or ignore instructions are used when reading file content. * Capability inventory: The skill can modify any file via the Write tool and execute shell commands via the Shell tool. * Sanitization: No sanitization is performed on ingested code or comments before they are used to guide refactoring or command execution.
Audit Metadata