running-devops-test-suite
Pass
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands using the Salesforce CLI ('sf') to interact with the DevOps Center API.\n
- File: SKILL.md\n
- Evidence:
sf api request rest "/services/data/v67.0/connect/devopstesting/pipeline/<pipelineId>/stage/execute" --method POST --body '{"stageId": "<stageId>", "event": "<event>", "testSuiteIds": ["<suiteId1>", "<suiteId2>"]}' --target-org <doce-org-alias>\n- [COMMAND_EXECUTION]: The skill processes untrusted user data and interpolates it into shell command strings, creating a surface for command injection.\n - Ingestion points: User-provided inputs such as
pipelineId,stageId,event, anddoce-org-alias.\n - Boundary markers: The skill implements a manual confirmation prompt ("Confirmation gate") that requires the user to review and approve the configuration before any command is executed.\n
- Capability inventory: Execution of subprocesses via the
sfCLI inSKILL.md.\n - Sanitization: The instructions do not specify any validation, escaping, or filtering of the inputs before they are interpolated into the command line string.
Audit Metadata