Production Smoke Suite
Warn
Audited by Gen Agent Trust Hub on Apr 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides multiple script examples (
scripts/run-smoke-docker.ts,scripts/scheduled-smoke.ts) that utilizechild_process.execSyncto execute system commands such as Docker and Playwright CLI tools. - [REMOTE_CODE_EXECUTION]: A script example in the documentation,
run-smoke-docker.ts, exhibits a potential command injection vulnerability. It takes a command-line argument (process.argv[2]) and interpolates it directly into a shell command string executed viaexecSyncwithout any sanitization or validation. - [DATA_EXFILTRATION]: The alerting helper implementation (
src/helpers/alerting.ts) includes functions to send test result summaries and failure details to external Slack and PagerDuty webhooks provided via environment variables. This represents an intentional data transmission path to third-party services for monitoring purposes. - [EXTERNAL_DOWNLOADS]: The CI/CD integration examples specify commands to download the Playwright framework and its associated browser binaries (e.g.,
npx playwright install chromium) and install project dependencies from standard package registries.
Audit Metadata