coding-agent
Fail
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill implements a bash tool with an 'elevated' parameter that allows commands to run on the host instead of a sandbox, creating a significant risk of privilege escalation.\n- [EXTERNAL_DOWNLOADS]: The documentation instructs users to install a third-party Node.js package from an unverified personal namespace.\n
- Evidence:
npm install -g @mariozechner/pi-coding-agentfound in SKILL.md.\n- [COMMAND_EXECUTION]: The skill provides explicit instructions to bypass safety features and sandboxing in external coding tools.\n - Evidence: Recommended use of
--yolo(described as 'NO sandbox, NO approvals') and--permission-mode bypassPermissionsflags in SKILL.md.\n- [PROMPT_INJECTION]: The skill exposes a significant surface for indirect prompt injection through the automated processing of external repository data.\n - Ingestion points: Commands such as
git cloneandgh pr checkoutare used to pull external, untrusted content (SKILL.md).\n - Boundary markers: No delimiters or instructions to ignore embedded commands are present in the provided workflows.\n
- Capability inventory: The skill possesses full shell execution capabilities through the
bashtool and direct process interaction via thesubmitandwriteactions (SKILL.md).\n - Sanitization: External code and pull request data are processed and executed without sanitization or validation.\n- [REMOTE_CODE_EXECUTION]: The skill facilitates remote code execution by automating the retrieval and processing of external code from GitHub, which is then executed by agents in high-privilege or 'un-sandboxed' modes.\n
- Evidence: Workflows in SKILL.md involve cloning arbitrary repositories and checking out pull requests for automated agent execution.
Recommendations
- AI detected serious security threats
Audit Metadata