Testing Strategy
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Command Execution] (HIGH): The skill relies on executing local scripts such as
./scripts/analyze-coverage-gaps.shand./scripts/generate-test.sh. These scripts are not included in the skill definition, creating an unverified execution path. - [Indirect Prompt Injection] (HIGH): This skill is vulnerable to indirect prompt injection because it ingests untrusted external content and possesses high-privilege capabilities.
- Ingestion points: Reads and analyzes Go source files (
.go) and coverage data (coverage.out). - Boundary markers: Absent. There are no instructions or delimiters provided to prevent the agent from interpreting embedded instructions in the source code it reads.
- Capability inventory: The agent has access to
Bash,Write,Edit, andReadtools. - Sanitization: Absent. There is no evidence of input validation or sanitization of the code being analyzed before it is used for analysis or test generation.
- [Dynamic Execution] (MEDIUM): The skill involves generating new Go test code based on existing source code and subsequently executing it using
go test. Maliciously crafted source code could influence the generation process to inject code that executes during the test phase.
Recommendations
- AI detected serious security threats
Audit Metadata