expect
Pass
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: Indirect prompt injection surface via codebase content and user instructions.
- Ingestion points: Processes
git diffoutput viascripts/diff-scan.shand user-supplied instructions from the-margument inSKILL.md. - Boundary markers: The prompt template in
references/test-plan.mduses structural section headers to delimit data, which helps provide context but does not fully prevent adversarial influence from processed data. - Capability inventory: The skill possesses the ability to execute shell commands through the
Bashtool and perform browser actions (including JavaScript execution) viaagent-browser. - Sanitization: Untrusted data from the codebase and user input is interpolated into the AI test plan generation prompt without explicit sanitization or escaping.
- [EXTERNAL_DOWNLOADS]: Fetches configuration and tools from well-known and trusted sources.
- Recording Library: The skill optionally downloads the
rrwebsession recording library from the jsDelivr CDN (cdn.jsdelivr.net) as described inreferences/rrweb-recording.md. - Automation Tool: The skill documentation in
SKILL.mdidentifies a dependency on the@anthropic-ai/agent-browserpackage for browser orchestration. - [COMMAND_EXECUTION]: Orchestrates a multi-phase testing pipeline using local scripts and standard system tools.
- Pipeline Scripts: Executes several bundled bash scripts (
scripts/diff-scan.sh,scripts/fingerprint.sh,scripts/init.sh,scripts/route-map.sh,scripts/report.sh) to manage the testing lifecycle. - Dynamic Logic: Shell scripts utilize inline Python commands (
python3 -c) to handle JSON/YAML parsing and framework detection logic.
Audit Metadata