generate-tests
Warn
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: MEDIUMCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill reads sensitive authentication credentials (email, password) from the project's internal memory (located at
~/.claude/projects/<project>/memory/reference_local_auth.md) and writes them into a local.env.test.localfile. Although the skill includes instructions to update.gitignoreto prevent these credentials from being committed to version control, the handling of plaintext secrets in local files is a sensitive operation. - [COMMAND_EXECUTION]: The skill dynamically generates TypeScript test files (
.spec.ts) and executes them vianpx playwright test. This pattern of script generation and subsequent execution creates a surface for indirect prompt injection if the source data files (such asapp-map.mdor playbooks) contain malicious content that influences the generated code. - [EXTERNAL_DOWNLOADS]: The skill performs automated installation of external dependencies, specifically the
@playwright/testpackage and the Chromium browser viapnpmandnpx. These resources originate from well-known and established service providers.
Audit Metadata