coding-agent
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill explicitly promotes the use of the
--yoloflag (a shortcut for--dangerously-bypass-approvals-and-sandbox) when running the Codex agent. This configuration intentionally removes security boundaries and manual approval steps, allowing the autonomous agent to execute arbitrary generated code directly on the host system.- [EXTERNAL_DOWNLOADS]: The documentation directs users to install a specific third-party NPM package (@mariozechner/pi-coding-agent) to enable additional agent capabilities.- [COMMAND_EXECUTION]: The core functionality of the skill involves wrapping and executing complex shell commands through background bash processes and tmux. This operational model provides a wide attack surface for command injection if inputs are not strictly controlled.- [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection because it is designed to ingest and process untrusted external data, specifically when reviewing Pull Requests or fixing issues in cloned repositories. - Ingestion points: External repository content via
git clone, PR branches viagh pr checkout, and diff outputs processed by the agents. - Boundary markers: No boundary markers or 'ignore' instructions are provided to prevent agents from obeying malicious commands embedded in the code or PR descriptions being analyzed.
- Capability inventory: The agents are granted shell access, file system modification rights, and network access via the
ghandgitCLI tools. - Sanitization: There is no evidence of sanitization, filtering, or validation of the external content before it is processed by the autonomous agents.
Audit Metadata