codeagent
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes the
codeagent-wrapperCLI tool, which is designed to perform deep code analysis, generation, and refactoring on the local file system.\n- [COMMAND_EXECUTION]: Provides an explicit mechanism to disable security permission prompts for the Claude backend via the--dangerously-skip-permissionsflag or theCODEAGENT_SKIP_PERMISSIONSenvironment variable, which could allow unauthorized file modifications if the agent is compromised.\n- [PROMPT_INJECTION]: The skill exhibits surface area for indirect prompt injection (Category 8).\n - Ingestion points: Processes user-provided task descriptions and local file content referenced using the
@syntax, as seen inSKILL.md.\n - Boundary markers: Utilizes HEREDOC (
<<'EOF') for task input but lacks explicit instructions or markers to prevent the agent from following instructions embedded within the ingested data or files.\n - Capability inventory: The
codeagent-wrappertool possesses high-privilege capabilities including file system writes, code refactoring, and parallel task execution.\n - Sanitization: There is no evidence of input validation, sanitization, or escaping of the task content or referenced file data before it is passed to the AI backends.
Audit Metadata