ai-code-mode
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFEREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill's core purpose is to execute TypeScript code generated by an LLM via the
execute_typescripttool. To mitigate risks, it implements various sandboxing drivers likeisolated-vm, QuickJS, and Cloudflare Workers to enforce resource constraints and isolation from the host environment. - [PROMPT_INJECTION]: The skill provides a surface for indirect prompt injection, as it processes and executes code derived from potentially untrusted user input within chat messages.
- Ingestion points: Untrusted data enters the agent context through the
messagesarray in thechatfunction. - Boundary markers: While the skill documentation mentions a system prompt for providing type stubs, it does not detail specific boundary markers or instructions to ignore embedded commands in user-supplied data.
- Capability inventory: The environment includes powerful capabilities such as
execute_typescript,register_skill, and user-defined tools (e.g.,fetchWeather) that allow interaction with external systems. - Sanitization: Security is primarily managed through runtime environment isolation (sandboxing) rather than through filtering or sanitization of the generated code.
- [COMMAND_EXECUTION]: The sandboxed environment is designed to call external tools defined by the developer, allowing generated code to perform multi-step operations that interact with host-side tool implementations.
- [DATA_EXFILTRATION]: The documentation explicitly warns against passing API keys or other secrets directly into the sandbox environment, noting that any accessible credentials could be exfiltrated by generated code through available tool calls.
Audit Metadata