Skills
skills/mohganji/skills/setup-crap-check-github-actions/Gen Agent Trust Hub

setup-crap-check-github-actions

Pass

Audited by Gen Agent Trust Hub on May 5, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The Go language preset generates a workflow that installs the gcov2lcov tool directly from a third-party GitHub repository (github.com/jandelgado/gcov2lcov@latest).
  • [COMMAND_EXECUTION]: The skill generates a GitHub Actions YAML file (.github/workflows/crap-check.yml) that executes shell commands for testing, coverage reporting, and CRAP score calculation. These commands (e.g., mvn test, npm ci, pytest) are executed in the CI environment.
  • [PROMPT_INJECTION]: The skill exhibits a surface for Indirect Prompt Injection (Category 8):
  • Ingestion points: The skill reads project configuration files (like package.json, pom.xml, or .coveragerc) to automatically detect test frameworks and command-line arguments in SKILL.md (Step 1).
  • Boundary markers: Absent. The detected strings are passed as arguments to the generate_workflow.py script and interpolated directly into the workflow YAML.
  • Capability inventory: The skill has the capability to write files to the .github/workflows/ directory and include arbitrary shell commands in the generated workflow.
  • Sanitization: None. The skill relies on a manual user confirmation step ("Present findings to user for confirmation before proceeding") to mitigate the risk of injecting malicious commands into the CI pipeline.
Audit Metadata
Risk Level
SAFE
Analyzed
May 5, 2026, 09:49 PM