code-implementer
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION] (HIGH): The skill is designed to read a technical plan from a session directory and 'Run the exact commands in the plan'. Because the agent is instructed to execute build and test commands (e.g.,
npm run build,npm test) found within these untrusted files, an attacker could embed malicious commands in a project's plan file to achieve host compromise. - [COMMAND_EXECUTION] (HIGH): The skill utilizes
run_shell_commandto execute local scripts (e.g.,~/.gemini/extensions/pickle-rick/scripts/get_session.sh). This capability is leveraged throughout the implementation loop to execute arbitrary logic defined in the ingested session data. - [PROMPT_INJECTION] (MEDIUM): The skill uses 'God Mode' terminology in its description and explicitly commands the agent to 'Follow the plan' regardless of its own internal reasoning ('I don't care if you have a better idea'). This effectively forces the agent to bypass its own safety checks in favor of instructions found in potentially malicious external data.
- [INDIRECT_PROMPT_INJECTION] (HIGH): Mandatory Evidence Chain:
- Ingestion points: Files located in
[Session_Root](Technical Plan). - Boundary markers: Absent. The agent is told to read the plan 'FULLY' without delimiters.
- Capability inventory:
run_shell_command,write_file,replace, and arbitrary shell execution of build/test scripts. - Sanitization: None. The skill explicitly instructs the agent to 'Run the exact commands in the plan' without filtering.
Recommendations
- AI detected serious security threats
Audit Metadata