qa-gate-gcp
Validates GCP applications pre-deployment by generating test plans, executing tests, and producing go/no-go reports.
Install this skill
Security score
The qa-gate-gcp skill was audited on Mar 3, 2026 and we found 45 security issues across 4 threat categories, including 2 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Direct command execution function call
| 437 | const match = pattern.exec(output.content); |
Direct command execution function call
| 824 | // execSync("npx prisma migrate status") should show no pending migrations |
Template literal with variable interpolation in command context
| 174 | const res = await fetch(`${BASE_URL}/api/entities`, { |
Template literal with variable interpolation in command context
| 175 | headers: { Authorization: `Bearer ${process.env.TEST_AUTH_TOKEN}` }, |
Template literal with variable interpolation in command context
| 181 | const res = await fetch(`${BASE_URL}/api/entities`); |
Template literal with variable interpolation in command context
| 186 | const res = await fetch(`${BASE_URL}/api/entities`, { |
Template literal with variable interpolation in command context
| 187 | headers: { Authorization: `Bearer ${process.env.TEST_AUTH_TOKEN}` }, |
Template literal with variable interpolation in command context
| 198 | const res = await fetch(`${BASE_URL}/api/entities`, { |
Template literal with variable interpolation in command context
| 201 | Authorization: `Bearer ${process.env.TEST_AUTH_TOKEN}`, |
Template literal with variable interpolation in command context
| 212 | const res = await fetch(`${BASE_URL}/api/entities`, { |
Template literal with variable interpolation in command context
| 397 | details: `Content length: ${output.content.length}, minimum: ${config.minLength}`, |
Template literal with variable interpolation in command context
| 405 | details: `Content length: ${output.content.length}, maximum: ${config.maxLength}`, |
Template literal with variable interpolation in command context
| 413 | details: `Tokens used: ${output.tokens_used}, budget: ${config.maxTokens}`, |
Template literal with variable interpolation in command context
| 421 | details: `Latency: ${output.latency_ms}ms, max: ${config.maxLatencyMs}ms`, |
Template literal with variable interpolation in command context
| 428 | rule: `required_section:${section}`, |
Template literal with variable interpolation in command context
| 430 | details: `Section "${section}" ${output.content.toLowerCase().includes(section.toLowerCase()) ? "found" : "missing"}`, |
Template literal with variable interpolation in command context
| 439 | rule: `forbidden_pattern:${pattern.source}`, |
Template literal with variable interpolation in command context
| 441 | details: match ? `Found forbidden pattern: "${match[0]}"` : "No forbidden patterns found", |
Template literal with variable interpolation in command context
| 501 | const judgingPrompt = `You are a strict QA evaluator. Assess the following LLM output against the original prompt. |
Template literal with variable interpolation in command context
| 533 | Authorization: `Bearer ${OPENROUTER_API_KEY}`, |
Template literal with variable interpolation in command context
| 555 | const res = await fetch(`${BASE_URL}/api/generate`, { |
Template literal with variable interpolation in command context
| 557 | headers: { "Content-Type": "application/json", Authorization: `Bearer ${TOKEN}` }, |
Template literal with variable interpolation in command context
| 594 | ```bash |
Template literal with variable interpolation in command context
| 661 | ```bash |
Template literal with variable interpolation in command context
| 713 | ```bash |
Template literal with variable interpolation in command context
| 747 | ```bash |
Fetch to external URL
| 530 | const response = await fetch("https://openrouter.ai/api/v1/chat/completions", { |
Access to .env file
| 9 | You are a senior QA architect responsible for the final validation gate before production deployment on Google Cloud Platform. You do NOT write individual unit tests (that is test-sentinel's job). Ins |
Access to .env file
| 13 | `OPENROUTER_API_KEY` is used in generated validation scripts to run LLM-as-judge evaluations on content quality. `GCP_PROJECT_ID` and `GCP_REGION` are referenced in generated infrastructure validation |
Access to .env file
| 170 | const BASE_URL = process.env.VALIDATION_BASE_URL || "http://localhost:3000"; |
Access to .env file
| 175 | headers: { Authorization: `Bearer ${process.env.TEST_AUTH_TOKEN}` }, |
Access to .env file
| 187 | headers: { Authorization: `Bearer ${process.env.TEST_AUTH_TOKEN}` }, |
Access to .env file
| 201 | Authorization: `Bearer ${process.env.TEST_AUTH_TOKEN}`, |
Access to .env file
| 231 | await page.fill('[name="email"]', process.env.TEST_USER_EMAIL!); |
Access to .env file
| 232 | await page.fill('[name="password"]', process.env.TEST_USER_PASSWORD!); |
Access to .env file
| 326 | await page.fill('[name="email"]', process.env.TEST_USER_EMAIL!); |
Access to .env file
| 327 | await page.fill('[name="password"]', process.env.TEST_USER_PASSWORD!); |
Access to .env file
| 349 | await page.fill('[name="email"]', process.env.TEST_USER_EMAIL!); |
Access to .env file
| 350 | await page.fill('[name="password"]', process.env.TEST_USER_PASSWORD!); |
Access to .env file
| 491 | const OPENROUTER_API_KEY = process.env.OPENROUTER_API_KEY; |
Access to .env file
| 649 | --format="value(spec.template.spec.containers[0].env.name)" 2>/dev/null) |
Access to .env file
| 982 | - NEVER read or modify `.env`, `.env.local`, or any credential file directly |
Access to .env file
| 983 | - All env var references are in generated test/script code via `process.env.*` or `os.environ.get()` |
External URL reference
| 170 | const BASE_URL = process.env.VALIDATION_BASE_URL || "http://localhost:3000"; |
External URL reference
| 530 | const response = await fetch("https://openrouter.ai/api/v1/chat/completions", { |