codeagent
Warn
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill facilitates the execution of
codeagent-wrapper, a tool designed to perform arbitrary code analysis and refactoring tasks. This includes capabilities for parallel execution and session management. - [COMMAND_EXECUTION]: Provides functionality to explicitly bypass security prompts using the
--dangerously-skip-permissionsflag or theCODEAGENT_SKIP_PERMISSIONSenvironment variable, which reduces user oversight during automated task execution. - [PROMPT_INJECTION]: Vulnerable to indirect prompt injection (Category 8) due to the processing of untrusted external content.
- Ingestion points: Untrusted data enters the context via the
taskcontent and file references using the@filesyntax (documented in SKILL.md). - Boundary markers: The skill uses HEREDOC (EOF) delimiters for command construction, but lacks explicit instruction boundary markers or warnings to the AI backend to ignore embedded commands within the ingested files.
- Capability inventory: The skill allows for complex subprocess execution, file system interaction, and multi-file refactoring through the
codeagent-wrappercommand. - Sanitization: There is no evidence of sanitization, validation, or escaping of the content retrieved from
@filereferences before it is passed to the AI backends.
Audit Metadata