msw
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- [Prompt Injection] (SAFE): The skill contains no instructions designed to override agent constraints or bypass safety guidelines. All 'CRITICAL' and 'HIGH' markers refer to the impact of following MSW best practices on software reliability.
- [Data Exposure & Exfiltration] (SAFE): No hardcoded API keys, credentials, or sensitive file paths (e.g., ~/.ssh) are present. Examples using 'Authorization' headers use generic placeholders like 'jwt-token' or 'Bearer '.
- [Obfuscation] (SAFE): Content is clear, well-structured Markdown. No Base64, zero-width characters, or homoglyphs were found.
- [Unverifiable Dependencies] (SAFE): References well-known, industry-standard packages from the npm registry including 'msw', 'vitest', 'jest-fixed-jsdom', and '@faker-js/faker'. No 'curl | bash' or suspicious remote script execution patterns are present.
- [Privilege Escalation] (SAFE): No use of 'sudo', 'chmod 777', or other commands aimed at escalating system privileges. Documentation focuses on standard 'pnpm' and 'npx' usage.
- [Indirect Prompt Injection] (SAFE): While the skill describes handling external data (request bodies/query params), it emphasizes proper validation and structured response handling (e.g., 'graphql-error-responses.md'). It does not introduce capabilities that would allow external data to execute logic within the agent's environment.
- [Dynamic Execution] (SAFE): No use of 'eval()', 'exec()', or runtime code generation from untrusted sources. Examples of 'crypto.randomUUID()' and 'URL' parsing are standard for the stated purpose of API mocking.
Audit Metadata