add-cucumber-tests
Pass
Audited by Gen Agent Trust Hub on May 4, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: The skill uses a mandatory human-approval step (Workflow Step 5) to mitigate risks from indirect prompt injection. This ensures the user reviews and approves all generated test scenarios and plans.
- Ingestion points: User-provided functional specifications (Workflow Step 1).
- Boundary markers: The prompt uses Gherkin structure and documentation reference files to constrain the agent's output.
- Capability inventory: Subprocess execution for build tools (Maven/Gradle) and local file-system writes for feature files.
- Sanitization: A mandatory review checkpoint (Step 5) requires the user to approve the full plan before the agent implements any files.
- [DATA_EXFILTRATION]: The referenced library source code (
ObjectSteps.java) contains utilities to access environment variables and system properties. These are intended for integration testing and are part of the framework's legitimate functionality. - The file-writing utility in the framework (
output_in) includes a path traversal check to ensure files are only written within the project's resource directory. - [COMMAND_EXECUTION]: The skill uses standard local build wrappers (
./mvnw,./gradlew) to confirm that the project environment is stable and that tests are correctly discovered. - [SAFE]: The skill utilizes localized reference files (
references/steps-*.md) as a 'source of truth' for legal step patterns, which prevents the agent from generating arbitrary or unsafe execution steps.
Audit Metadata