write-tests
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill reads untrusted data from the local file system, specifically
git diffoutputs and file contents, which are then used to populate instructions for specialized agents (Sonnet/Opus). - Ingestion points: The skill reads file contents via
{FILE_PATH},git diff, and project documentation like@README.md. - Boundary markers: No explicit boundary markers or XML tags are used to isolate untrusted code content from the agent instructions in the provided templates.
- Capability inventory: The skill can execute shell commands (
git status, test commands), write new files (tests), and spawn multiple sub-agents with broad instructions. - Sanitization: No sanitization or filtering of the code content is performed before passing it to the LLM.
- Command Execution (HIGH): The skill automatically discovers and executes shell commands for running tests and generating coverage reports from
package.jsonor other project configs. This is a vector for arbitrary command execution if an attacker can influence the project configuration files. - Remote Code Execution (HIGH): The skill implements a 'write-and-execute' loop where agents generate test code that is immediately executed in the local environment. If the generation phase is compromised via indirect prompt injection, this leads directly to RCE.
- Metadata Poisoning (LOW): The skill relies on external skills like
saddandTDDwithout verifying their provenance or integrity within this file, though this is a common pattern in modular agent design.
Recommendations
- AI detected serious security threats
Audit Metadata