coding-agent-2
Warn
Audited by Gen Agent Trust Hub on Mar 24, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill provides instructions and examples for executing commands through various coding agents (Codex, Claude Code, Gemini CLI, Pi) with safety and permission checks disabled. Specifically, it encourages the use of flags like
--yolo(defined as 'NO sandbox, NO approvals'),--dangerously-skip-permissions, and-y(yolo mode) for Gemini. - [PROMPT_INJECTION]: The instructions explicitly direct the agent to bypass standard safety protocols and tool-use approvals of the underlying coding agents to achieve 'Full Auto' or 'YOLO' execution modes.
- [EXTERNAL_DOWNLOADS]: The documentation references and provides instructions for installing external, unverified third-party packages and CLIs, such as
@mariozechner/pi-coding-agentvia npm, and references a GitHub repository (kesslerio/coding-agent-moltbot-skill) that does not match the stated author context. - [DATA_EXFILTRATION]: The skill defines an attack surface for indirect prompt injection by instructing the agent to ingest untrusted data (e.g., performing batch PR reviews from external contributors) while having full bash and PTY capabilities.
- Ingestion points: Untrusted code from git clones and PR checkouts (documented in
SKILL.md). - Boundary markers: Absent; the skill does not use delimiters or instructions to ignore embedded commands in the code being reviewed.
- Capability inventory: Full
bashtool execution, process control (stdin/stdout access), and potential network access through the coding agents. - Sanitization: None provided; the skill relies on the coding agents to safely handle the input, while simultaneously instructing those agents to disable their own permission checks.
Audit Metadata