android-test-structure
Warn
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): Potential Path Traversal via unsanitized input. The skill takes the package_name input and converts it to a path using a simple character replacement without validating against traversal sequences.
- Ingestion point: package_name input variable.
- Boundary markers: None present in the bash scripts.
- Capability inventory: Permission to create directories (mkdir -p) and write files (BaseTest.kt, TestUtils.kt).
- Sanitization: Only replaces dots with slashes using tr, which does not prevent directory traversal (e.g., providing ../../ as input).
- [COMMAND_EXECUTION] (LOW): Encourages the execution of project-local binaries. The skill documentation suggests running ./gradlew connectedAndroidTest, which assumes the local project environment is safe and that the gradlew wrapper has not been tampered with.
Audit Metadata