test-coverage
Pass
Audited by Gen Agent Trust Hub on May 8, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill uses
pnpm add -D @vitest/coverage-v8to install the official coverage provider for Vitest. This is a standard development dependency from a well-known public registry and is required for the skill's functionality. - [COMMAND_EXECUTION]: The skill executes various shell commands to inspect the project environment, including
grep,cat, andfind. It also runs test commands likenpx vitest run --coverageandnpx jest --coverageto collect metrics. - [COMMAND_EXECUTION]: A hardcoded Node.js script is used to parse the JSON coverage summary and identify files below the coverage threshold. The script is self-contained and operates only on local data.
- [PROMPT_INJECTION]: The skill has an attack surface for indirect prompt injection as it reads application source code and coverage reports to generate new test files. However, this is inherent to the skill's primary purpose of fixing test coverage.
- Ingestion points: Source files under
src/,package.json, and coverage reports. - Boundary markers: None explicitly defined for ingested content.
- Capability inventory: Shell (execution of tests/commands), Write (creation of test files and config updates).
- Sanitization: Content is used as context for generating TypeScript/JavaScript code without specific sanitization filters.
Audit Metadata