Skills
skills/rudironsoni/dotnet-harness-plugin/dotnet-ado-build-test/Gen Agent Trust Hub

dotnet-ado-build-test

Warn

Audited by Gen Agent Trust Hub on Mar 5, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The "Enforce coverage threshold" script contains a command injection vulnerability due to unsafe variable interpolation.
  • The script captures a file path using find and stores it in the $COVERAGE_FILE shell variable.
  • This variable is then interpolated directly into a Python command string: tree = ET.parse('$COVERAGE_FILE').
  • If a file with a crafted name (e.g., containing single quotes and malicious Python code) exists in the search directory, it could lead to arbitrary code execution within the CI pipeline runner's context.
  • [EXTERNAL_DOWNLOADS]: The skill downloads and installs software from trusted repositories.
  • It installs the dotnet-reportgenerator-globaltool from NuGet to process coverage reports.
  • It utilizes the UseDotNet@2 task to fetch .NET SDK versions from Microsoft's official distribution servers.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 5, 2026, 09:29 PM