confer
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes shell commands to interface with external CLI tools (
codex,claude, andtmux).- [COMMAND_EXECUTION]: The skill explicitly instructs the agent to use high-risk flags that bypass core security mechanisms: - The
--dangerously-bypass-approvals-and-sandboxflag for thecodex execcommand removes isolation and user confirmation requirements. - The
--dangerously-skip-permissionsflag for theclaudeCLI disables authorization checks for the prompt being processed.- [COMMAND_EXECUTION]: The skill usestmux send-keysto programmatically inject strings into a terminal session, which can lead to arbitrary command execution if the input is not strictly controlled.- [PROMPT_INJECTION]: The skill establishes an attack surface for indirect prompt injection by acting as a bridge that passes unvalidated prompts from one agent to another. - Ingestion points: The
<prompt>placeholder within the command templates inSKILL.md. - Boundary markers: No specific delimiters or "ignore instructions" headers are used to wrap the input data.
- Capability inventory: The tools being invoked have the ability to read/write files and execute system commands.
- Sanitization: No sanitization or escaping of the prompt string is implemented before execution.
Recommendations
- AI detected serious security threats
Audit Metadata