coding-agent
Fail
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documentation recommends using the '--yolo' flag with the Codex CLI, which is explicitly described as having 'NO sandbox, NO approvals,' bypassing critical safety constraints for automated code changes.\n- [COMMAND_EXECUTION]: The bash tool parameters include an 'elevated' option described as 'Run on host instead of sandbox,' which enables privilege escalation and direct host system interaction.\n- [EXTERNAL_DOWNLOADS]: The skill provides instructions for installing third-party software, specifically the '@mariozechner/pi-coding-agent' package via npm, and running 'pnpm install' in project directories, which involves fetching and executing external code.\n- [PROMPT_INJECTION]: The skill functions as a wrapper for other agents, creating a vulnerability surface for indirect prompt injection by directly interpolating user-provided tasks into shell commands.\n
- Ingestion points: User prompts are interpolated into 'command' strings for Codex, Claude, and Pi agents within 'SKILL.md'.\n
- Boundary markers: No delimiters or instructions to ignore embedded commands are used in the provided command templates.\n
- Capability inventory: Full subprocess execution via a bash tool with background processing, terminal emulation, and potential host-level access.\n
- Sanitization: There is no evidence of input validation or sanitization before passing user data to external CLI tools.
Recommendations
- AI detected serious security threats
Audit Metadata