pytest-coverage-measurement
Pass
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: SAFE
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references the official installation script for the uv package manager from https://astral.sh/uv/install.sh. As Astral is a well-known service provider in the Python ecosystem, this download is categorized as safe.
- [REMOTE_CODE_EXECUTION]: The GitHub Actions example includes a piped shell command (curl | sh) to install uv. This pattern is documented as safe given the trusted nature of the source and its standard usage in CI/CD environments for tool installation.
- [COMMAND_EXECUTION]: Python scripts within the skill use subprocess.run to invoke pytest and generate coverage data. The implementation uses a static argument list and does not incorporate untrusted input, ensuring safe command execution.
- [PROMPT_INJECTION]: An indirect prompt injection surface was identified regarding the processing of coverage reports. While this represents a data ingestion point, it is assessed as safe.
- Ingestion points: coverage.json (Step 7, Example 2)
- Boundary markers: Absent
- Capability inventory: subprocess.run (Example 2)
- Sanitization: Absent; the script processes the JSON report for informational display. No critical downstream operations are performed with the parsed data.
Audit Metadata