mutation-testing
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill invokes local shell scripts (
generate-mutations.sh,run-mutation-test.sh,parse-results.sh) to perform file system operations and run Go binaries. These scripts operate on user-provided input files, which can lead to command injection if paths or arguments are not properly handled. - REMOTE_CODE_EXECUTION (HIGH): The core logic involves creating mutated versions of source code and executing them via the test suite. This dynamic execution (Category 10) of generated code is inherently dangerous, as a malicious source file could contain payloads that trigger during the mutation or testing phase.
- INDIRECT_PROMPT_INJECTION (HIGH): (Category 8) The skill ingests untrusted external content (user source code) and possesses high-privilege execution capabilities (running tests and scripts). There are no boundary markers or sanitization steps documented to prevent malicious code from exploiting the agent during the analysis process.
- Ingestion points: User-provided Go source files via the
--fileargument. - Boundary markers: None present in the documentation or script usage descriptions.
- Capability inventory: Shell script execution, file writing, and Go test execution (subprocess calls).
- Sanitization: No evidence of code sanitization or input validation before mutation or execution.
Recommendations
- AI detected serious security threats
Audit Metadata