coding-cli-management

Fail

Audited by Gen Agent Trust Hub on Jun 21, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The script scripts/run-coding-cli.sh executes external CLI tools (claude, qodercli) using high-risk flags that explicitly disable safety and permission checks. Specifically, it uses --dangerously-skip-permissions for the Claude CLI and --yolo for QoderCLI, which allows these tools to perform potentially destructive actions without user confirmation.
  • [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by taking unvalidated content from a 'Worker' message and passing it directly to powerful AI coding tools as a prompt. This could allow a malicious or compromised worker to hijack the Manager's CLI access.
  • Ingestion points: SKILL.md parses user-provided content from messages labeled with coding-request: (specifically between ---PROMPT--- and ---END--- markers).
  • Boundary markers: The skill uses basic structural delimiters but lacks explicit instructions or guardrails to prevent the underlying AI CLI from obeying instructions embedded within the worker's prompt.
  • Capability inventory: scripts/run-coding-cli.sh can execute CLIs with full write access to the workspace and the ability to interact with external APIs.
  • Sanitization: No escaping, validation, or filtering is performed on the {extracted prompt content} before it is written to a temporary file and executed.
  • [DATA_EXFILTRATION]: The skill uses mc mirror to synchronize workspace data with a remote storage prefix (HICLAW_STORAGE_PREFIX). Because the AI tools are run with bypassed security filters, an attacker using prompt injection could move sensitive system files (such as the CLI credentials located in ~/.claude/ or ~/.gemini/ mentioned in the scripts) into the workspace, where they would be automatically uploaded to the remote storage server.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 21, 2026, 02:32 AM
Security Audit — agent-trust-hub — coding-cli-management