product-analysis
Fail
Audited by Gen Agent Trust Hub on Feb 25, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the Bash tool to detect local development environments and project types using commands like 'which codex', 'ls package.json', and 'ls pyproject.toml'.
- [REMOTE_CODE_EXECUTION]: The skill invokes the external 'codex' CLI tool using high-risk autonomous flags: '--full-auto' and '--dangerously-bypass-approvals-and-sandbox'. These flags explicitly disable security sandboxing and user approval prompts for command execution, effectively handing control of the local shell to an external model's reasoning output.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the analysis of untrusted local project files. 1. Ingestion points: The skill reads local source code, router files, and configuration files (e.g., .env, base.yaml) during exploration. 2. Boundary markers: No explicit delimiters or instructions are used to separate untrusted file content from the agent's instructions. 3. Capability inventory: The skill has access to the Bash tool, background task execution via the Task tool, and autonomous CLI execution with sandbox bypasses. 4. Sanitization: No validation or sanitization of file content is performed before it is processed by the agents.
Recommendations
- AI detected serious security threats
Audit Metadata