coding-agent
Fail
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill defines a
bashtool that permits the execution of arbitrary shell commands. It includes anelevatedparameter specifically designed to run processes on the host system rather than within a restricted sandbox. - [REMOTE_CODE_EXECUTION]: The documentation actively promotes the
--yoloflag for the Codex CLI, which is described as having "NO sandbox, NO approvals," creating a direct path for unverified, LLM-generated code to execute with full system access. - [EXTERNAL_DOWNLOADS]: The skill provides explicit instructions for downloading and installing external packages (e.g.,
npm install -g @mariozechner/pi-coding-agent) and executing dependency installations (pnpm install) from potentially untrusted remote repositories. - [PROMPT_INJECTION]: The skill contains instructions designed to bypass tool-specific security constraints, such as using
mktempandgit initto circumvent Codex's refusal to run in untrusted directories. - [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection due to its core functionality of processing external code and Pull Requests.
- Ingestion points: External repositories and Pull Request diffs via
git cloneandgh pr checkoutin SKILL.md. - Boundary markers: None are defined to separate untrusted code from the agent's instructions.
- Capability inventory: Includes full
bashexecution,elevatedhost permissions, and interactive terminal control throughprocesstool actions likewriteandsubmit. - Sanitization: No sanitization or validation of the content being processed is performed; the skill relies solely on advisory warnings to the user.
Recommendations
- AI detected serious security threats
Audit Metadata