qa-manual-istqb
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- SAFE (SAFE): No security issues were detected across all analyzed files.
- Prompt Injection: The content consists of instructional material for software testers. References to "SQL injection" and "XSS" in
references/experience-based-techniques.mdare correctly contextualized as examples of security defects to look for during testing, not as instructions to the agent. - Data Exposure & Exfiltration: No hardcoded credentials, API keys, or sensitive file paths were found. Templates (e.g.,
assets/templates/test-environment-checklist.md) use safe placeholders for configuration data. - Obfuscation: All documentation and templates are in clear text. No Base64, zero-width characters, or homoglyphs were detected.
- Unverifiable Dependencies & RCE: While the skill references
playwrightandNode.js, it does not include any scripts that perform installations or execute remote code. Commands likenpx playwright testare provided as documentation for manual or CI usage. - Indirect Prompt Injection (SAFE): The skill provides templates that interpolate data (e.g.,
{{feature}}inassets/templates/test-conditions.md). While this represents a data ingestion surface, the skill lacks any active logic or executable scripts to process this data, resulting in no risk of exploitation. - Ingestion points:
assets/templates/*.mdfiles containing{{variable}}placeholders. - Boundary markers: Absent in templates.
- Capability inventory: No active scripts or command execution logic included.
- Sanitization: No sanitization logic provided, but unnecessary given the lack of executable capabilities.
Audit Metadata