api-testing
Pass
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
- EXTERNAL_DOWNLOADS (SAFE): The skill references the installation of standard API testing tools (newman, @usebruno/cli) and common utilities (uuid) from the public npm registry. These are well-established, reputable packages for the intended use case.\n
- Evidence: Found in reference/ci-integration.md (CLI installation) and reference/bruno-patterns.md (package requirement).\n- SAFE (SAFE): Secure credential management is consistently promoted across the documentation. The skill instructs users to utilize environment variables and secrets for sensitive data like API keys and tokens, with explicit warnings against committing these values to version control.\n
- Evidence: SKILL.md (Environment Management section) and reference/bruno-patterns.md (Secret Management section).\n- SAFE (SAFE): Indirect Prompt Injection Surface: As an API testing tool, the skill naturally ingests untrusted data from API responses. While this represents a theoretical attack surface, it is a primary functional requirement and is mitigated by the sandboxed execution environments of the recommended tools.\n
- Ingestion points: pm.response.json() in reference/postman-patterns.md and res.body in reference/bruno-patterns.md.\n
- Boundary markers: Absent; data is handled via JavaScript variables.\n
- Capability inventory: CLI tools execute scripts and produce reports based on this data.\n
- Sanitization: Absent; the focus is on validation for testing purposes.
Audit Metadata