codemapper
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): Vulnerable to Indirect Prompt Injection. The skill is designed to read and process external codebase content which is inherently untrusted. If an attacker places malicious instructions inside source code comments or string literals, the agent could be tricked into executing unwanted actions when it retrieves that content (e.g., via
cm query --show-body). - Ingestion points: Any file within the directory targeted by the
cmcommands. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are defined in the skill's usage patterns.
- Capability inventory: Accesses file system metadata and content; results are returned to the agent's context for decision-making.
- Sanitization: No sanitization of the analyzed code content is performed before presentation to the agent.
- [COMMAND_EXECUTION] (MEDIUM): The skill relies on a non-standard CLI tool (
cm). While it appears to be a legitimate utility, its security profile is unknown, and the skill assumes it is already present and trusted on the host system. Command execution on local paths without validation can be risky if the paths are manipulated.
Recommendations
- AI detected serious security threats
Audit Metadata