unity-testrunner
Warn
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The CI/CD templates in references/cli-automation.md reference GitHub Actions game-ci/unity-test-runner@v4 and dorny/test-reporter@v1, which are from organizations not included in the Trusted Sources list.
- COMMAND_EXECUTION (MEDIUM): PowerShell and Bash scripts in references/cli-automation.md dynamically construct and execute commands using variables for binary paths and arguments. This introduces a risk of arbitrary command execution if project metadata or filter parameters are maliciously crafted.
- CREDENTIALS_UNSAFE (LOW): The troubleshooting section in references/cli-automation.md provides a template for license activation that includes passing -username and -password as command-line arguments. This is an insecure practice as it may leak sensitive credentials to system logs or process monitoring tools.
- PROMPT_INJECTION (LOW): Category 8 (Indirect Prompt Injection): 1. Ingestion points: ProjectVersion.txt and XML test result files (references/cli-automation.md). 2. Boundary markers: Absent. 3. Capability: Local subprocess execution of Unity Editor via the & operator. 4. Sanitization: Absent. The skill processes data from the local project environment which could influence command execution paths.
Audit Metadata