oracle
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill invokes external binaries (
cursor-agent,codex,opencode) via Bash and directly interpolates the[user's complete request]into the command string. This lacks any sanitization or escaping, allowing for potential command injection if the user input contains shell metacharacters. - [REMOTE_CODE_EXECUTION] (HIGH): By passing unvalidated user instructions to secondary execution agents, the skill allows a user to perform any action the secondary agent is capable of, effectively delegating full system access to an unverified third-party tool.
- [SECURITY_BYPASS] (HIGH): The instruction for the
codextool specifically includes the flag--dangerously-bypass-approvals-and-sandbox. This is a critical security risk as it explicitly disables safety guardrails and human-in-the-loop requirements intended to prevent malicious actions. - [INDIRECT_PROMPT_INJECTION] (LOW): The skill processes untrusted user data without boundary markers or sanitization before passing it to downstream tools.
- Ingestion points: User's request is captured in
SKILL.mdand passed to shell commands. - Boundary markers: Absent; the agent is told to pass the request 'directly... without modification'.
- Capability inventory: Uses the
Bashtool to execute arbitrary commands. - Sanitization: Absent; no escaping or filtering is performed on the input string.
Recommendations
- AI detected serious security threats
Audit Metadata