Skills
skills/proffesor-for-testing/sentinel-api-testing/testability-scoring/Gen Agent Trust Hub

testability-scoring

Pass

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: SAFECREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
  • CREDENTIALS_UNSAFE (LOW): Hardcoded credentials detected in a configuration template.
  • Evidence: resources/templates/config.template.js contains a userTypes array with plaintext usernames and passwords (e.g., password: 'secret_sauce'). Although these are standard credentials for the public demo site saucedemo.com, hardcoding credentials in templates is a violation of security best practices.
  • PROMPT_INJECTION (LOW): Indirect Prompt Injection surface identified through external data ingestion.
  • Ingestion points: The script scripts/run-assessment.sh accepts a user-provided URL as a command-line argument.
  • Boundary markers: None identified. The Playwright execution does not appear to use delimiters to isolate external content from the assessment logic.
  • Capability inventory: The skill executes shell commands (npx playwright test) and Node.js scripts (generate-html-report.js).
  • Sanitization: No explicit sanitization or validation of the input URL is performed before it is used to set the TEST_URL environment variable.
  • EXTERNAL_DOWNLOADS (SAFE): The skill uses npx to execute Playwright, which may involve downloading packages. This is considered safe as it targets the standard npmjs.org registry for a common development tool.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 17, 2026, 06:46 PM