code-agent
Pass
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill is designed to autonomously generate, modify, and execute source code across multiple files to fulfill user-requested engineering tasks, which is a form of dynamic execution inherent to its primary purpose.
- [COMMAND_EXECUTION]: The instructions direct the agent to run arbitrary shell commands within its isolated environment to investigate codebases and run verification tools such as test suites, linters, and build systems (e.g.,
pytest,mypy). - [EXTERNAL_DOWNLOADS]: The skill encourages the agent to retrieve external context from the web, specifically referencing the collection of API documentation, library changelogs, and metadata from package registries like npm.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it is built to ingest and process data from potentially untrusted external sources.
- Ingestion points: The agent reads content from GitHub issues, bug reports, user-provided feature requests, and uploaded archives (e.g.,
my-project.zip). - Boundary markers: The skill recommends using structured XML-like tags (e.g.,
<task>,<objective>,<scope>) to define task parameters and isolate them from the agent's instructions. - Capability inventory: The underlying
code_agenttool has full read/write access to the workspace filesystem and the ability to execute arbitrary shell commands. - Sanitization: The workflow relies on manual human review ('Orchestrator' verification) of implementation plans and code outputs rather than automated input sanitization.
- [DATA_EXFILTRATION]: The documentation specifies that all files within the agent's workspace are automatically synchronized to an Amazon S3 bucket for persistence and session management.
Audit Metadata