version-migration
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides several shell scripts (e.g.,
audit-components.sh,find-formik.sh,validate-migration.sh) that use standard tools likegrepandsedto analyze the localsrc/directory andpackage.jsonfile. These operations are conducted locally within the user's project directory. - [EXTERNAL_DOWNLOADS]: Documentation and setup scripts reference well-known tools and services, specifically Playwright for visual regression testing and Chromatic for UI documentation. These are recognized industry-standard services.
- [REMOTE_CODE_EXECUTION]: The
setup-playwright-vrt.shscript generates Playwright configuration and test specifications. It dynamically constructs test cases by extracting route paths from the application's source files usinggrep. This pattern of generating executable code from project files represents an indirect prompt injection surface. - Ingestion points: The script reads files in the
src/,app/, andpages/directories to extract routing paths from JSX/TSX components. - Boundary markers: No explicit sanitization or boundary markers are used when interpolating extracted route strings into the generated
e2e/components.spec.tsfile. - Capability inventory: The skill generates a TypeScript test file intended to be executed via
npx playwright test. - Sanitization: Extracted route strings are used directly in code generation without escaping or validation, which could allow for code injection into the generated test suite if the source files contain specifically crafted strings.
Audit Metadata