coding-agent
Warn
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides instructions for executing arbitrary shell commands via a bash tool to control external coding agents such as Codex and Claude Code.
- [COMMAND_EXECUTION]: Explicitly recommends using the --yolo flag for the Codex CLI, which disables sandboxing and mandatory safety approvals.
- [COMMAND_EXECUTION]: Promotes the use of the elevated:true parameter to run processes on the host system instead of a restricted sandbox.
- [REMOTE_CODE_EXECUTION]: Describes workflows for cloning and interacting with code from external GitHub repositories using git and the gh CLI.
- [DATA_EXFILTRATION]: Provides examples of sending data externally to GitHub using the gh pr comment command.
- [PROMPT_INJECTION]: Recommends appending automated notification commands to prompts sent to other agents, which could be abused for command injection if the initial prompt is compromised.
- [PROMPT_INJECTION]: Vulnerable to indirect prompt injection when the agent processes data from external sources like pull request diffs or cloned codebases.
- Ingestion points: External repositories and pull request content via git clone and gh pr checkout as described in SKILL.md.
- Boundary markers: None defined to isolate instructions from the external data being processed.
- Capability inventory: Full shell access via the bash tool, including elevated and background execution modes.
- Sanitization: No mention of sanitizing or validating external content before it is passed to the coding agents.
Audit Metadata