coding-agent
Fail
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documentation explicitly promotes the use of the
--yoloflag for the Codex CLI, which is described as disabling the sandbox and all manual approvals. This encourages the execution of unvetted code with high autonomy. - [COMMAND_EXECUTION]: The bash tool definition includes an
elevatedparameter which, when set to true, allows the command to run on the host system instead of within a sandbox, facilitating privilege escalation. - [EXTERNAL_DOWNLOADS]: The skill instructs users to install a third-party package
@mariozechner/pi-coding-agentfrom the NPM registry. This package originates from an unverified external source. - [PROMPT_INJECTION]: The skill is designed to ingest and process untrusted data from external sources, creating a surface for Indirect Prompt Injection.
- Ingestion points: Use of
git cloneandgh pr checkoutto pull external, potentially attacker-controlled code into the active workspace for analysis and refactoring. - Boundary markers: There are no delimiters or specific instructions provided to the agents to distinguish between skill instructions and the external data being processed.
- Capability inventory: The skill utilizes the
bashtool withpty:trueandbackground:truepermissions, allowing for broad file system access and shell command execution. - Sanitization: No sanitization, filtering, or validation steps are performed on the external code before it is passed to the LLM agents.
Recommendations
- AI detected serious security threats
Audit Metadata