REST Assured API Testing
Pass
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: SAFECREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill contains hardcoded credentials in the documentation examples, specifically in the
BaseApiTest.javaandAuthApiTestsections (e.g., "email": "admin@example.com", "password": "AdminPass123!"). While these appear to be dummy values for local development (localhost:3000), they represent a risk if used in production or if real credentials are substituted without externalizing them. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is designed to fetch, parse, and act upon data from external, potentially untrusted API endpoints.
- Ingestion points: Data is ingested from API responses and extracted into POJOs or variables using methods like
.extract().as(User.class)and.path("token")as shown inSKILL.md. - Boundary markers: No boundary markers or instructions to ignore potential commands embedded in API response fields are specified.
- Capability inventory: The skill has network access capabilities via the REST Assured library and file system access for reading test resources (e.g.,
new File("src/test/resources/test-data/sample.pdf")). - Sanitization: There is no evidence of sanitization or validation logic to filter out malicious instructions from the processed API data before the agent uses it for further test logic or assertions.
Audit Metadata