codebase-research

The artifact is a capability-specification for a codebase-research agent and contains no explicit malicious payloads, hard-coded credentials, or obfuscated instructions. The primary risk arises from excessive privileges: granting unrestricted Bash alongside file-reading tools enables reading of sensitive system files, modification of the environment, and direct network exfiltration — actions inconsistent with the declared read-only intent. Treat this as a policy/privilege risk (suspicious configuration) rather than proven malware in the document itself. Reduce risk by removing or tightly scoping Bash, applying filesystem allowlists, and restricting network egress for the execution environment.