contract-testing
Pass
Audited by Gen Agent Trust Hub on Apr 19, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: No security issues detected. The skill follows established QE industry standards and uses legitimate tools for API contract validation.
- [PROMPT_INJECTION]: The skill involves processing external data such as OpenAPI specifications, GraphQL schemas, and consumer contract files, which represents an attack surface for indirect prompt injection. 1. Ingestion points: openapi.yaml, schema.graphql, and JSON Pact files (referenced in references/agent-commands.md and SKILL.md). 2. Boundary markers: The skill relies on structured data parsing (YAML/JSON) to delimit content. 3. Capability inventory: CLI command execution via the aqe tool, contract generation, and network interaction with a Pact Broker. 4. Sanitization: No explicit sanitization or validation of the logic within input specifications is documented. As this surface is intrinsic to the primary function of contract testing, it is considered a low risk and does not escalate the safety verdict.
Audit Metadata