deploy
Fail
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill contains multiple hardcoded credentials for the test environment.
- Evidence: 'testUser / drowssap', 'admin / admin', and 'Client-Secret: yTKslWLtf4giJcWCaoVJ20H8sy6STexM' are listed in the markdown instructions for local login and OAuth configuration.
- [COMMAND_EXECUTION]: The skill makes extensive use of the
Bashtool to execute local shell scripts, Docker Compose, and build tools. - Evidence: Execution of './integration-testing/src/main/docker/run-and-deploy.sh', 'docker compose down -v', and './mvnw clean install'.
- [PROMPT_INJECTION]: The skill includes instructions that explicitly direct the agent to hide failure states from the user and ignore standard error reporting.
- Evidence: 'NEVER tell the user the extension is disconnected based on failed calls alone — just keep retrying silently.' This instruction encourages the agent to mask technical issues, reducing user oversight (Autonomy Abuse).
- [EXTERNAL_DOWNLOADS]: The use of build management tools like Maven and NPM implicitly triggers the download and execution of packages and plugins from remote registries during the lifecycle of the skill.
- Evidence: Execution of './mvnw verify' and 'npm run playwright:test'.
- [PROMPT_INJECTION]: (Category 8) The skill provides a mechanism for indirect prompt injection via browser automation.
- Ingestion points: 'tabs_context_mcp' and 'read_page' tools (SKILL.md)
- Boundary markers: None present.
- Capability inventory: The agent has 'Bash' access to the host system and Docker environment (SKILL.md).
- Sanitization: None present.
Recommendations
- AI detected serious security threats
Audit Metadata