Skills
skills/carlitose/agent-skills/qa-test-plan/Gen Agent Trust Hub

qa-test-plan

Pass

Audited by Gen Agent Trust Hub on May 13, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses several shell commands to inspect the repository state and code content, including git diff, git show, git log, cat, and grep. These are necessary for its primary purpose of analyzing code changes but involve executing commands based on user-provided references (hashes, branches, file paths).
  • [EXTERNAL_DOWNLOADS]: The skill utilizes the GitHub CLI (gh pr diff) to fetch data from GitHub. While GitHub is a well-known and trusted service, this represents an external data dependency where the agent fetches remote content into the current context.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests and processes untrusted data from external sources.
  • Ingestion points: Code diffs from git, PR bodies/descriptions from GitHub, and file contents via cat or git show (SKILL.md, Phase 1).
  • Boundary markers: The skill does not define clear delimiters or specific instructions for the agent to ignore potentially malicious instructions embedded within the code comments or PR metadata being analyzed.
  • Capability inventory: The agent has the capability to execute shell commands (git, gh, grep), write files to the local filesystem (docs/qa/), and output content to the chat (SKILL.md, Output format).
  • Sanitization: There is no explicit sanitization or validation logic to filter out natural language instructions that might be embedded in the code changes designed to manipulate the agent's behavior during the test plan generation phase.
Audit Metadata
Risk Level
SAFE
Analyzed
May 13, 2026, 11:29 AM
Security Audit — agent-trust-hub — qa-test-plan