Skills
skills/openclaw/skills/coding-agent/Gen Agent Trust Hub

coding-agent

Fail

Audited by Gen Agent Trust Hub on Mar 20, 2026

Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: The skill's documentation (README.md) recommends a high-risk installation method for the Kiro CLI dependency by piping a remote script directly to a shell (curl -fsSL https://cli.kiro.dev/install | bash). This pattern executes unverified code from an external domain.
  • [COMMAND_EXECUTION]: The skill instructions explicitly direct the agent to utilize security-degrading command flags. It encourages the use of '--yolo' for Codex CLI (described as 'NO sandbox, NO approvals') and '--trust-all-tools' for Kiro CLI to skip confirmation prompts. These instructions deliberately circumvent built-in safety guardrails designed to prevent unauthorized system modifications.
  • [COMMAND_EXECUTION]: The skill definition in SKILL.md exposes an 'elevated' parameter for the bash tool, which permits the agent to execute shell commands directly on the host system rather than within a restricted sandbox environment.
  • [PROMPT_INJECTION]: The skill uses 'magic word' triggers (e.g., 'kiro') and specific instructional patterns that could be exploited to steer agent behavior outside of intended safety constraints.
  • [COMMAND_EXECUTION]: The skill grants the agent extensive process management capabilities, including the ability to send raw stdin data and terminal key sequences to background sessions, which can be used to manipulate interactive CLI tools in an opaque and unvetted manner.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as user-provided text is interpolated directly into shell commands for various coding agents without sanitization or boundary markers.
  • Ingestion points: User-provided queries and task descriptions processed in SKILL.md.
  • Boundary markers: None; the skill lacks delimiters or 'ignore embedded instructions' warnings for the interpolated content.
  • Capability inventory: Includes shell execution (bash), session management (process), and host-system access (elevated: true).
  • Sanitization: No validation or escaping of user input is implemented before command execution.
Recommendations
  • HIGH: Downloads and executes remote code from: https://cli.kiro.dev/install - DO NOT USE without thorough review
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 20, 2026, 11:14 AM