qe-contract-testing
Pass
Audited by Gen Agent Trust Hub on Feb 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [SAFE]: No malicious patterns, obfuscation, or unauthorized network behaviors were identified. The skill's functionality aligns with its purpose of API contract validation.\n- [COMMAND_EXECUTION]: The skill uses the
aqecommand-line utility to perform contract generation and verification tasks, which is standard for quality engineering tools.\n- [CREDENTIALS_UNSAFE]: The skill correctly demonstrates using environment variables (process.env.PACT_TOKEN) for API authentication rather than hardcoding credentials.\n- [PROMPT_INJECTION]: The skill analyzes external data sources (OpenAPI and GraphQL schemas), creating an indirect prompt injection surface. This is a low-risk surface inherent to testing tools.\n - Ingestion points:
openapi.yaml,schema.graphql, andevents/schemas/(SKILL.md).\n - Boundary markers: None identified in the provided templates.\n
- Capability inventory: Executes
aqeCLI and writes contract results to the local file system.\n - Sanitization: Not explicitly mentioned in the skill documentation.
Audit Metadata