contract-testing
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted external data such as API contracts and interaction descriptions.\n
- Ingestion points: API definitions and consumer expectations passed to the qe-api-contract-validator agent.\n
- Boundary markers: There are no explicit markers used to distinguish external data from agent instructions in the provided snippets.\n
- Capability inventory: The skill orchestrates agents that can execute tasks and references shell command execution for CI/CD integration.\n
- Sanitization: No documentation exists regarding the sanitization of external input before agent processing.\n- [EXTERNAL_DOWNLOADS]: The skill references well-known testing frameworks and utilities.\n
- Evidence: References to @pact-foundation/pact, pact-broker, and jq are present throughout the documentation.\n- [COMMAND_EXECUTION]: The skill includes instructions for running shell commands as part of its core functionality.\n
- Evidence: Examples in SKILL.md detail the use of npm and npx for publishing and verifying contracts.
Audit Metadata