testing-handbook-skills
Fail
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: CRITICALEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill references several external resources for setup and installation. This includes cloning the Testing Handbook from the Trail of Bits GitHub repository and downloading tool-specific components like the Rust installer (sh.rustup.rs) and the LLVM GPG keys (apt.llvm.org). All downloads target trusted organizations or well-known technology services.
- [COMMAND_EXECUTION]: The skill provides extensive documentation for executing CLI tools, including system configuration scripts (afl-system-config), package managers (pip, gem, cargo, apt), and compilation commands (clang, gcc). These are the intended primary functions of the testing toolkit. A Python validation script (validate-skills.py) is included to verify the integrity of generated content.
- [PROMPT_INJECTION]: The 'testing-handbook-generator' skill possesses an indirect prompt injection surface as it ingests data from the external handbook repository to generate new instructions. This is a low-risk inherent feature of a generator skill, mitigated by the use of structured templates.
- [SAFE]: No malicious patterns, obfuscation, or unauthorized data exfiltration were detected. The skill includes explicit security warnings for the user regarding tools that require root privileges or disable OS security features for performance (AFL++), demonstrating a transparent security posture.
Recommendations
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata