Skills
skills/qwibitai/nanoclaw/get-qodo-rules/Gen Agent Trust Hub

get-qodo-rules

Warn

Audited by Gen Agent Trust Hub on Mar 12, 2026

Risk Level: MEDIUMCREDENTIALS_UNSAFEDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [CREDENTIALS_UNSAFE]: The skill retrieves an API_KEY from the local configuration file ~/.qodo/config.json.
  • [DATA_EXFILTRATION]: The skill transmits the API_KEY to the qodo.ai domain. While this is the intended functionality for the Qodo integration, the transmission of local secrets to a remote endpoint is a sensitive operation.
  • [PROMPT_INJECTION]: The skill instructs the agent to treat externally fetched "rules" as non-negotiable and mandatory ("Must comply"). This creates a surface for indirect prompt injection where a compromised or malicious API response could hijack agent behavior.
  • [EXTERNAL_DOWNLOADS]: The skill performs HTTP GET requests to qodo-platform.{ENVIRONMENT_NAME}.qodo.ai to retrieve rules and configuration data.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 12, 2026, 02:35 PM