coding-agent
Fail
Audited by Gen Agent Trust Hub on Mar 28, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to execute arbitrary shell commands via a
bashtool. It provides extensive instructions on using pseudo-terminals (PTY) and background processes to run interactive command-line interfaces. - [REMOTE_CODE_EXECUTION]: The skill facilitates the execution of code generated by external AI agents. It explicitly encourages the use of the
--yoloflag with the Codex CLI, which the documentation describes as 'most dangerous' because it bypasses all approvals, allowing the agent to execute actions and modify the workspace without human oversight. - [EXTERNAL_DOWNLOADS]: The skill recommends the installation of an unverified third-party package (
@mariozechner/pi-coding-agent) from a personal repository/registry rather than a well-known service or official organization. - [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection (Category 8) through its automated Pull Request review workflows.
- Ingestion points: Untrusted code enters the environment via
git cloneandgh pr checkoutcommands documented inSKILL.md. - Boundary markers: No boundary markers or 'ignore' instructions are used to separate untrusted code from the agent's internal logic.
- Capability inventory: The skill utilizes a
bashtool capable of arbitrary command execution, file system modification, network access, and background process management (described inSKILL.md). - Sanitization: No sanitization or validation of the external code is performed before it is processed by the coding agents.
Recommendations
- AI detected serious security threats
Audit Metadata