api-test-generator
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: Hardcoded credentials found in multiple files.
- Evidence: The password
123456789MikoPBX#1is used in authentication fixtures withinSKILL.md,templates/test-template.py, andreference/pytest-patterns.md. - Context: This appears to be a default development password for the MikoPBX system, but hardcoding it in templates poses a risk if used in production-like environments.
- [COMMAND_EXECUTION]: The skill uses the
Bashtool to perform several sensitive operations. - Evidence: It executes
findandgrepcommands to locateDataStructure.phpfiles on the local filesystem (e.g., path/Users/nb/PhpstormProjects/mikopbx/...). - Evidence: It uses
docker execto modify environment variables within a running container (e.g., settingSCHEMA_VALIDATION_STRICT=1). - [PROMPT_INJECTION]: The skill identifies an indirect prompt injection surface.
- Ingestion points: The skill reads configuration and parameter definitions from
DataStructure.phpfiles viaBashtools. - Boundary markers: No explicit boundary markers or "ignore instructions" warnings are used when processing the PHP file content.
- Capability inventory: The skill generates executable Python scripts that use the
requestslibrary and are intended to be run viapytest. - Sanitization: There is no evidence of sanitization or validation of the content extracted from the PHP files before it is interpolated into the generated Python code.
- [COMMAND_EXECUTION]: The skill generates Python script files (
.py) at runtime based on templates and external data, which is a form of dynamic code generation.
Audit Metadata