code-investigate
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes a secondary agent through the
mcp__codex__codextool with theapproval-policyparameter set tonever. This enables the sub-agent to execute shell commands such asgrepandreadautomatically without manual approval, although the risk is mitigated by asandbox: 'read-only'constraint. - [PROMPT_INJECTION]: User-provided strings (e.g.,
userQuestion,featureName,problemDescription) are interpolated directly into the task prompts for the secondary agent. This creates a surface for indirect prompt injection where malicious user input could attempt to bypass the skill's logic or influence the agent's output. - Ingestion points: Variables
${userQuestion},${featureName}, and${problemDescription}in thereferences/prompts.mdfile. - Boundary markers: The prompt templates utilize Markdown headers to separate project info from task requirements but lack explicit instruction delimiters or 'ignore' warnings for the variable content.
- Capability inventory: The secondary agent has access to
Bash,Grep,Glob, andReadtools for codebase analysis. - Sanitization: There is no evidence of sanitization, filtering, or escaping for the user-supplied strings before they are embedded into the prompt.
Audit Metadata