code-agent
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFE
Full Analysis
- [PROMPT_INJECTION]: The skill is designed to process untrusted data from the workspace and user-uploaded files. This creates a surface for indirect prompt injection where a malicious file could attempt to influence the agent's behavior during exploration or implementation.
- Ingestion points: Workspace files and user-uploaded files (SKILL.md).
- Boundary markers: No explicit prompt boundaries or 'ignore instructions' directives are specified for the sub-agent interaction in the provided documents.
- Capability inventory: The code_agent tool can read/write files and execute arbitrary code in an isolated container environment (SKILL.md).
- Sanitization: No sanitization or validation of workspace content is mentioned before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill facilitates the execution of code and tests (e.g., pytest, mypy) within an isolated workspace. This is the intended functionality of the 'Code Agent' and is restricted to its dedicated container (SKILL.md).
- [DATA_EXFILTRATION]: The documentation mentions that all files are auto-synced to S3. This appears to be a platform-level persistence feature of the execution environment rather than a command-based exfiltration attempt, and it aligns with the vendor's (aws-samples) typical infrastructure.
Audit Metadata