validating-api-contracts
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFE
Full Analysis
- [DYNAMIC_EXECUTION]: The Python script
scripts/generate_pact_tests.pyincludes functionality to generate executable shell scripts from templates and user-provided content. While this creates a surface for dynamic code generation, it is an intended feature of the testing framework and is mitigated by the restricted tool access defined in the skill metadata. - [INDIRECT_PROMPT_INJECTION]: The skill processes external data which represents a potential vulnerability surface.
- Ingestion points: The skill reads configuration files from
{baseDir}/config/and processes OpenAPI/Pact specifications. - Boundary markers: The instructions do not define specific delimiters to separate untrusted data from instructions.
- Capability inventory: The skill utilizes
Bash(test:contract-*),Write, andEdittools. - Sanitization: The provided scripts do not show evidence of sanitizing or validating external content before it is used in script generation.
- [COMMAND_EXECUTION]: The skill metadata defines a restricted command execution scope using
Bash(test:contract-*). This practice limits the agent's ability to execute arbitrary commands, restricting it to tasks associated with contract testing.
Audit Metadata