Skills
skills/happy-technologies-llc/happy-platform-skills/automated-testing/Gen Agent Trust Hub

automated-testing

Warn

Audited by Gen Agent Trust Hub on Apr 9, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The skill makes extensive use of the SN-Execute-Background-Script tool to run arbitrary server-side JavaScript on the ServiceNow platform. This is used for triggering test runners, calculating aggregate metrics, and performing environment maintenance.
  • [COMMAND_EXECUTION]: The Troubleshooting section includes a maintenance script designed to delete records from critical tables including sys_user (users), sys_user_group (groups), and incident. This script identifies targets based on a string prefix ('ATF'), which presents a risk of accidental data loss if naming conventions are not strictly isolated or if the script is executed in an incorrect environment.
  • [REMOTE_CODE_EXECUTION]: The skill provides templates for Jenkins Groovy pipelines and GitHub Actions workflows that execute shell commands (curl) and script logic to interact with remote ServiceNow APIs and manage deployment flows.
  • [DATA_EXFILTRATION]: The skill facilitates the extraction of platform data through SN-Query-Table and REST API calls to various system tables. While intended for analyzing test results, these patterns could be repurposed to expose sensitive platform configuration or user data.
  • [PROMPT_INJECTION]: The skill contains an indirect prompt injection surface (Category 8) where external data enters the agent context.
  • Ingestion points: Data is ingested via SN-Query-Table from the sys_atf_test_result, sys_atf_step_result, and sys_atf_variable tables (documented in Phase 8 and Troubleshooting).
  • Boundary markers: There are no defined boundary markers or instructions for the agent to ignore embedded commands within the queried ServiceNow records.
  • Capability inventory: The skill possesses significant capabilities including SN-Execute-Background-Script (server-side JS execution), SN-Update-Record, SN-Create-Record, and native Bash execution.
  • Sanitization: No sanitization logic is provided to validate or escape data retrieved from ServiceNow before it is processed or used in subsequent logic flows.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 9, 2026, 02:34 PM