qwen-code-permission
Warn
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a bundled Python script (
scripts/add_permission.py) using theuvtool to modify the filesystem. - The script programmatically alters
~/.qwen/settings.json, which is the primary configuration file for managing security permissions in the host environment. - [PROMPT_INJECTION]: The skill presents a significant surface for indirect prompt injection due to its broad trigger conditions and lack of input validation.
- Ingestion points: The skill triggers on phrases like "always allow", "permission rule", or "auto-approve this command", which are frequently found in third-party documentation, README files, or web content that the agent may process.
- Boundary markers: Absent. The skill does not instruct the agent to distinguish between direct user commands and instructions found within processed data.
- Capability inventory: The skill has the capability to grant persistent, non-confirming access to sensitive tools such as
run_shell_command(Bash),read_file, andweb_fetchby adding them to theallowlist insettings.json. - Sanitization: Absent. There is no validation to ensure that the rule being added does not grant overly permissive access (e.g., allowing all Bash commands) or that the request originated from the user's intent rather than an external script.
- [COMMAND_EXECUTION]: By automating the addition of
allowrules, the skill facilitates the removal of "human-in-the-loop" safety confirmations. If exploited, an attacker could instruct the agent to read a file containing a trigger phrase that permanently allows all shell commands, effectively bypassing the security sandbox for future interactions.
Audit Metadata