coverage-drop-investigator
Pass
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill executes local shell commands including
git,jq, andnpx jestto automate a coverage investigation runbook. - [EXTERNAL_DOWNLOADS]: The skill uses
npxto runjest, which may download the package from the official npm registry if it is not already present in the environment. This is standard behavior for Node.js development tools. - [INDIRECT_PROMPT_INJECTION]: The skill processes data from the local filesystem (coverage reports and git diffs). While it lacks explicit boundary markers for this data, it uses
jqwith argument flags (--arg) which safely handles input strings, mitigating risks of command injection through filenames.
Audit Metadata