coding-agent
Fail
Audited by Gen Agent Trust Hub on Feb 28, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill grants the subagent (Claude Code) full filesystem access and the ability to execute arbitrary commands via the
Bashtool. The documentation explicitly encourages using these capabilities for complex system-level tasks like refactoring and scaffolding. - [COMMAND_EXECUTION]: The skill provides and describes a
--yoloflag, which is documented as 'dangerously-skip-permissions'. This flag explicitly disables standard security safeguards (permission prompts), allowing for fully autonomous work that bypasses human-in-the-loop verification for sensitive operations. - [PROMPT_INJECTION]: The skill exhibits a significant indirect prompt injection surface.
- Ingestion points: The skill takes a user-provided task description as input for the
alma coding-agent runcommand. - Boundary markers: There are no visible delimiters or 'ignore' instructions to prevent the subagent from following malicious instructions embedded within the task string.
- Capability inventory: The subagent has 'full filesystem access', shell access via
Bash, and can run autonomously via the--yoloflag. - Sanitization: No evidence of input validation or sanitization is present. An attacker could provide a task that includes commands to exfiltrate files or install persistent backdoors, which the subagent might execute autonomously.
Recommendations
- AI detected serious security threats
Audit Metadata