Skills
skills/hiroro-work/claude-plugins/ask-copilot/Gen Agent Trust Hub

ask-copilot

Fail

Audited by Gen Agent Trust Hub on Feb 16, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [Indirect Prompt Injection] (HIGH): The skill is designed to pass untrusted strings directly to a CLI that has execution capabilities.
  • Ingestion points: The -p argument in copilot -p "..." (referenced in SKILL.md).
  • Boundary markers: None. The prompt is interpolated directly into the shell command.
  • Capability inventory: The copilot CLI, as described, can perform code generation, debugging, and 'delegating coding tasks' which typically involves file writes and shell execution.
  • Sanitization: None. The documentation explicitly recommends using --allow-all-tools, which bypasses the tool's internal security prompts.
  • [Remote Code Execution] (HIGH): The combination of prompt-based input and the --allow-all-tools flag creates a direct path for arbitrary code execution. If an attacker influences the prompt passed to this skill, they can execute any shell command the copilot utility is capable of running.
  • [Command Execution] (MEDIUM): The allowed-tools policy Bash(copilot *) is overly broad. It grants the agent permission to execute any subcommand or flag of the copilot utility, including those that might be used for data exfiltration or persistence if supported by the CLI.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 16, 2026, 04:13 AM