Skills
skills/giuseppe-trisciuoglio/developer-kit/qwen-coder/Gen Agent Trust Hub

qwen-coder

Warn

Audited by Gen Agent Trust Hub on Apr 12, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands by interpolating user-provided prompts into a bash command string (e.g., qwen -p "<english-prompt>"). This creates a risk of shell command injection if the user input contains special characters like backticks, semicolons, or quotes that can break out of the intended command structure.
  • [DATA_EXFILTRATION]: The skill is designed to send project context and user-provided prompts to an external command-line interface (qwen). While this is the intended functionality, it involves transferring potentially sensitive code or information from the local environment to an external process or API.
  • [PROMPT_INJECTION]: The skill's primary function is to transform user requests into prompts for another AI model. This pattern is susceptible to prompt injection, where a user can craft a request that causes the delegated model (Qwen) to ignore its constraints or perform unintended actions.
  • [INDIRECT_PROMPT_INJECTION]: The skill includes instructions to incorporate project context and files into prompts sent to the external CLI, creating an attack surface for malicious instructions embedded in project data.
  • Ingestion points: Project context and files are explicitly included in the qwen -p prompt construction within SKILL.md.
  • Boundary markers: The skill provides a structured prompt template but does not implement robust delimiters or 'ignore' instructions to prevent the external model from following commands hidden in the ingested files.
  • Capability inventory: The skill utilizes Bash for command execution and has Read and Write access to the file system.
  • Sanitization: There is no evidence of sanitization or filtering of the ingested content before it is passed to the external model.
  • [PRIVILEGE_ESCALATION]: The skill supports a --approval-mode yolo flag which 'approves all operations without confirmation'. While the documentation warns to use this only upon explicit request, it provides a mechanism for the agent to perform autonomous and potentially destructive file system modifications without human oversight.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 12, 2026, 01:06 AM