Skills
skills/stellarlinkco/myclaude/codeagent/Gen Agent Trust Hub

codeagent

Fail

Audited by Gen Agent Trust Hub on Mar 6, 2026

Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill provides explicit instructions to bypass security filters and permission prompts. Evidence: The documentation describes how to use the CODEAGENT_SKIP_PERMISSIONS environment variable or the --dangerously-skip-permissions flag to disable safety checks for the Claude backend. Risk: This encourages a configuration that intentionally removes standard safety guardrails during automated execution.
  • [COMMAND_EXECUTION]: The skill executes an external CLI tool to perform arbitrary tasks on the local filesystem. Evidence: Commands such as `codeagent-wrapper --backend codex
  • [working_dir] <<'EOF'` are used to pipe task content directly into the execution engine. Risk: This allows for complex operations to be performed on the user's codebase based on instructions which may originate from untrusted sources or compromised AI backends.
  • [DATA_EXFILTRATION]: The skill facilitates sending local file content to external AI service providers. Evidence: The @ syntax (e.g., @src/core, @package.json) allows the tool to reference and read local files, incorporating their content into the data sent to Codex, Claude, or Gemini backends. Risk: This represents a data exposure risk where sensitive source code or configuration files are transmitted to third-party APIs without a granular review.
  • [REMOTE_CODE_EXECUTION]: The skill enables a workflow where remote AI backends generate code that is subsequently applied or executed in the local environment. Risk: If a backend returns malicious code or is subject to a prompt injection attack, that code could be applied to the local system via the wrapper's automation features, potentially leading to unauthorized system modifications.
  • [COMMAND_EXECUTION]: (Indirect Prompt Injection Surface) The skill processes untrusted data which could contain malicious instructions. Ingestion points: The task parameter and files referenced via the @ syntax in SKILL.md. Boundary markers: Absent; the skill uses HEREDOC syntax for tasks but does not define delimiters to separate instructions from data content. Capability inventory: The codeagent-wrapper tool performs file system modifications, code generation, and complex refactoring across multiple files. Sanitization: Absent; there is no evidence of validation or sanitization of the input task or the content of referenced files before they are processed by the AI backends.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 6, 2026, 12:56 AM