Skills
skills/richfrem/agent-plugins-skills/copilot-cli-agent/Gen Agent Trust Hub

copilot-cli-agent

Pass

Audited by Gen Agent Trust Hub on Mar 14, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the copilot CLI tool via shell commands to perform analysis tasks. It utilizes piping and redirection (e.g., cat <PERSONA_PROMPT> | copilot -p "<INSTRUCTION>" <INPUT> > <OUTPUT>) to move data between the agent and the sub-agent process.
  • [PROMPT_INJECTION]: The skill is designed to process untrusted external data, which introduces a surface for indirect prompt injection (Category 8).
  • Ingestion points: Untrusted data enters the sub-agent context through file redirection and shell piping to the copilot command, as seen in the examples in SKILL.md (e.g., < large.log).
  • Boundary markers: The skill includes defensive instructions in the prompts dispatched to the CLI: "Do NOT use tools. Do NOT search filesystem." (documented in SKILL.md and references/acceptance-criteria.md). These act as boundary markers to limit the sub-agent's behavior.
  • Capability inventory: The agent has Bash, Read, and Write tools. While the sub-agent is instructed not to use them, a successful indirect injection could attempt to trick the outer agent into executing malicious output.
  • Sanitization: There is no mention of input sanitization or filtering of the data before it is passed to the Copilot CLI.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 14, 2026, 08:58 AM