ohos-ut-test-coverage-report-generation

Warn

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill frequently executes shell commands to interact with the OpenHarmony build system and connected devices. This includes running ./build_system.sh with various arguments, executing hdc (Huawei Device Connector) commands for device interaction, and running local Python and shell scripts (build_before_generate.py, pr_coverage.py, run_test_with_monitor.sh).
  • [EXTERNAL_DOWNLOADS]: The skill's dependency installer (references/03-dependency-installer.md) uses system package managers (apt-get, yum) and Python's pip to download and install a wide range of dependencies, including compilers, coverage tools, and over 15 Python libraries from public registries.
  • [PRIVILEGE_ESCALATION]: The skill uses sudo in several places within references/03-dependency-installer.md to install system packages, modify the system-wide /etc/lcovrc file, and move the addlcov utility to /usr/bin/addlcov. This represents a high-privilege requirement for the agent's environment.
  • [INDIRECT_PROMPT_INJECTION]: The skill exhibits a surface for indirect prompt injection by ingesting and parsing data from the local project repository, such as build metadata (subsystem_parts.json, parts_targets.json) and test report files (index.html).
  • Ingestion points: Parsing JSON metadata in references/01-config-checker.md and HTML/XML reports in scripts/parse_coverage_report.py.
  • Boundary markers: None explicitly defined for data ingestion from the project structure.
  • Capability inventory: Ability to execute shell commands, install system/Python packages, write files, and communicate with external devices via hdc.
  • Sanitization: User-provided parameters like subsystem or part names are parsed using regular expressions (e.g., \w+), which provides basic protection against simple command injection.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 13, 2026, 08:40 AM
Security Audit — agent-trust-hub — ohos-ut-test-coverage-report-generation