quality-run-quality-gates
Warn
Audited by Gen Agent Trust Hub on Feb 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute shell commands that are dynamically discovered by scanning the workspace for Makefiles, npm scripts, and custom configuration files like .claude/quality-gates.json.
- [REMOTE_CODE_EXECUTION]: By executing project-defined scripts (e.g., ./scripts/check_all.sh or npm run check) without sanitization, the skill provides a mechanism for arbitrary code execution if the workspace contains malicious content.
- [EXTERNAL_DOWNLOADS]: The skill encourages the use of various package managers (npm, uv, cargo, etc.) to install and run quality tools, which involves fetching software from public registries.
- [PROMPT_INJECTION]: The SKILL.md file contains authoritative instructions ("MANDATORY", "DEFINITION OF DONE: MET") designed to compel the agent to run quality gates, potentially overriding developer discretion and leading to the execution of untrusted scripts.
Audit Metadata