skills/openharmonyinsight/openharmony-skills/ohos-ut-test-coverage-report-generation/Gen Agent Trust Hub
ohos-ut-test-coverage-report-generation
Warn
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill frequently executes shell commands to interact with the OpenHarmony build system and connected devices. This includes running
./build_system.shwith various arguments, executinghdc(Huawei Device Connector) commands for device interaction, and running local Python and shell scripts (build_before_generate.py,pr_coverage.py,run_test_with_monitor.sh). - [EXTERNAL_DOWNLOADS]: The skill's dependency installer (
references/03-dependency-installer.md) uses system package managers (apt-get,yum) and Python'spipto download and install a wide range of dependencies, including compilers, coverage tools, and over 15 Python libraries from public registries. - [PRIVILEGE_ESCALATION]: The skill uses
sudoin several places withinreferences/03-dependency-installer.mdto install system packages, modify the system-wide/etc/lcovrcfile, and move theaddlcovutility to/usr/bin/addlcov. This represents a high-privilege requirement for the agent's environment. - [INDIRECT_PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by ingesting and parsing data from the local project repository, such as build metadata (
subsystem_parts.json,parts_targets.json) and test report files (index.html). - Ingestion points: Parsing JSON metadata in
references/01-config-checker.mdand HTML/XML reports inscripts/parse_coverage_report.py. - Boundary markers: None explicitly defined for data ingestion from the project structure.
- Capability inventory: Ability to execute shell commands, install system/Python packages, write files, and communicate with external devices via
hdc. - Sanitization: User-provided parameters like subsystem or part names are parsed using regular expressions (e.g.,
\w+), which provides basic protection against simple command injection.
Audit Metadata