e2e-test-scenarios
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- DATA_EXFILTRATION (HIGH): An automated scanner detected the phishing domain 'note.us' in README.md. This URL is not visible in standard text viewing, indicating it may be hidden via obfuscation (e.g., zero-width characters or tags), which is a common vector for credential harvesting.\n- CREDENTIALS_UNSAFE (HIGH): The script 'scripts/test-auth-workflow.sh' writes Supabase 'ACCESS_TOKEN' data into a plaintext temporary file created with mktemp.\n
- Evidence: ACCESS_TOKEN is stored in TEST_DATA_FILE which is accessible to other local processes.\n- COMMAND_EXECUTION (MEDIUM): The skill generates and executes multiple shell scripts, SQL files, and configuration files (package.json, jest.config.js) at runtime. This creates a risk of command injection if environment variables like SUPABASE_TEST_URL are sourced from untrusted locations.\n- EXTERNAL_DOWNLOADS (LOW): The setup process installs several npm packages and uses curl to communicate with remote Supabase endpoints. While typical for development tools, the presence of a phishing domain in the documentation necessitates a more cautious review.
Recommendations
- AI detected serious security threats
- Contains 1 malicious URL(s) - DO NOT USE
Audit Metadata