中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:2 days ago Rescan
5 /100
jest-unittest
Jest-based unit test management skill providing coverage detection, auto-completion to 100%, and test failure diagnosis/fixing for frontend projects
Jest-based unit test management skill with well-documented functionality, appropriate permissions, and no malicious indicators.
Skill Namejest-unittest
Duration42.3s
Enginepi
Safe to install
This skill is safe to use. No security concerns identified.

Findings 3 items

Severity Finding Location
Info
Broad file write capabilities in unittest-completer
The unittest-completer sub-skill has Write/Edit/MultiEdit permissions to create and modify test files. This is necessary for its auto-completion feature but grants broader file write access than the testing domain alone.
allowed-tools: Read, Edit, MultiEdit, Write, Bash, Glob, Grep, TaskCreate, TaskUpdate, TaskList
→ This is legitimate behavior for a test auto-completion tool. Test files are created in the project's designated test directory ($PATH/$testDir/), not arbitrary locations.
 sub-skills/unittest-completer/SKILL.md:5
Info
Configuration isolation using project hash
The skill stores project-specific configuration in .temp/projects/<hash>/ using MD5 hash of project root. This prevents configuration conflicts between multiple projects.
const projectDir = path.join(skillRoot, '.temp', 'projects', hash);
→ Security-positive design: isolates per-project config and uses .temp/ (outside git) for temporary data.
 scripts/resolve-project.cjs:67
Info
Legitimate Jest command execution
The skill uses execSync to run `npx jest` commands for testing. This is expected behavior for a unit testing tool.
execSync(testCommand, { cwd: projectRoot, encoding: 'utf-8', ... })
→ No action needed - this is the core functionality of the skill.
 scripts/analyze-coverage/index.cjs:41
ResourceDeclaredInferredStatusEvidence
Filesystem READ,WRITE READ,WRITE ✓ Aligned unittest-completer/SKILL.md declares Write/Edit for test file creation; unittest…
Shell WRITE WRITE ✓ Aligned Bash tool declared in all sub-skills; used to run `npx jest` commands which is e…
Network NONE NONE No network requests found; only runs local Jest commands
Environment NONE NONE No sensitive environment variable access or exfiltration
Database NONE NONE No database access
Clipboard NONE NONE No clipboard access

File Tree

13 files · 57.7 KB · 1699 lines
JavaScript 6f · 1017L Markdown 6f · 677L JSON 1f · 5L
├─ 📁 scripts
│ ├─ 📜 guard-config.cjs JavaScript 70L · 2.6 KB
│ ├─ 📜 reload.cjs JavaScript 201L · 6.6 KB
│ └─ 📜 resolve-project.cjs JavaScript 94L · 2.7 KB
├─ 📁 sub-skills
│ ├─ 📁 unittest-checker
│ │ ├─ 📁 scripts
│ │ │ └─ 📁 analyze-coverage
│ │ │ └─ 📜 index.cjs JavaScript 198L · 5.5 KB
│ │ └─ 📝 SKILL.md Markdown 46L · 2.0 KB
│ ├─ 📁 unittest-completer
│ │ ├─ 📁 scripts
│ │ │ └─ 📁 check-coverage-100
│ │ │ ├─ 📜 index.cjs JavaScript 221L · 6.3 KB
│ │ │ └─ 📝 README.md Markdown 106L · 2.7 KB
│ │ └─ 📝 SKILL.md Markdown 154L · 6.8 KB
│ └─ 📁 unittest-doctor
│ ├─ 📁 scripts
│ │ └─ 📁 test-error-reporter
│ │ └─ 📜 index.cjs JavaScript 233L · 7.9 KB
│ └─ 📝 SKILL.md Markdown 174L · 7.1 KB
├─ 📋 _meta.json JSON 5L · 80 B
├─ 📝 README.md Markdown 149L · 5.0 KB
└─ 📝 SKILL.md Markdown 48L · 2.3 KB

Security Positives

✓ Comprehensive documentation with SKILL.md files for main skill and all sub-skills
✓ Project configuration isolation prevents cross-project data leakage
✓ Uses .temp/ directory (outside git) for temporary files and coverage reports
✓ No credential harvesting, sensitive path access, or data exfiltration
✓ No base64-encoded payloads, hidden instructions, or obfuscated code
✓ Clear error handling with specific error types (config_error, env_error, test_error)
✓ Legitimate subprocess usage for running Jest tests - documented and necessary
✓ Jest configuration parsing uses regex extraction - no unsafe eval()
✓ No external network requests except `npx jest --version` for version detection