Skills
skills/testomatio/skills/sync-cases/Gen Agent Trust Hub

sync-cases

Pass

Audited by Gen Agent Trust Hub on May 20, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill uses npx to fetch and execute the check-tests package from the npm registry. This ensures the latest version of the vendor's tool is utilized without requiring permanent local installation.
  • [COMMAND_EXECUTION]: Executable commands are used to trigger the check-tests CLI for synchronization tasks. These operations are restricted to the user-specified directory and specifically target *.test.md files.
  • [DATA_EXFILTRATION]: Local Markdown test files are uploaded to the Testomat.io platform (app.testomat.io). This behavior is the primary intended function of the skill and communicates exclusively with the vendor's official infrastructure.
  • [PROMPT_INJECTION]: The skill possesses an indirect prompt injection surface because it processes Markdown content pulled from an external API or read from local files.
  • Ingestion points: npx check-tests pull (external API) and local file reads (SKILL.md).
  • Boundary markers: The skill uses specific HTML comments (<!-- test ... -->) to delineate test metadata from content.
  • Capability inventory: Subprocess execution of the check-tests CLI and file system writes.
  • Sanitization: The skill relies on the CLI tool for parsing, but instructs the agent to validate test blocks before pushing.
Audit Metadata
Risk Level
SAFE
Analyzed
May 20, 2026, 02:49 PM
Security Audit — agent-trust-hub — sync-cases