coding-cli-management
Fail
Audited by Gen Agent Trust Hub on Jun 21, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/run-coding-cli.shexecutes external CLI tools (claude,qodercli) using high-risk flags that explicitly disable safety and permission checks. Specifically, it uses--dangerously-skip-permissionsfor the Claude CLI and--yolofor QoderCLI, which allows these tools to perform potentially destructive actions without user confirmation. - [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by taking unvalidated content from a 'Worker' message and passing it directly to powerful AI coding tools as a prompt. This could allow a malicious or compromised worker to hijack the Manager's CLI access.
- Ingestion points:
SKILL.mdparses user-provided content from messages labeled withcoding-request:(specifically between---PROMPT---and---END---markers). - Boundary markers: The skill uses basic structural delimiters but lacks explicit instructions or guardrails to prevent the underlying AI CLI from obeying instructions embedded within the worker's prompt.
- Capability inventory:
scripts/run-coding-cli.shcan execute CLIs with full write access to the workspace and the ability to interact with external APIs. - Sanitization: No escaping, validation, or filtering is performed on the
{extracted prompt content}before it is written to a temporary file and executed. - [DATA_EXFILTRATION]: The skill uses
mc mirrorto synchronize workspace data with a remote storage prefix (HICLAW_STORAGE_PREFIX). Because the AI tools are run with bypassed security filters, an attacker using prompt injection could move sensitive system files (such as the CLI credentials located in~/.claude/or~/.gemini/mentioned in the scripts) into the workspace, where they would be automatically uploaded to the remote storage server.
Recommendations
- AI detected serious security threats
Audit Metadata