coding-agent
Fail
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides comprehensive instructions for executing arbitrary shell commands through multiple autonomous agents (Codex, Claude Code, OpenCode, Pi). It explicitly recommends using high-risk configurations such as
pty:truefor interactive terminal access andelevated:trueto run processes on the host system instead of a sandbox. - [REMOTE_CODE_EXECUTION]: The skill directs the AI to use the
--yoloflag with the Codex CLI, which is documented within the skill as having 'NO sandbox, NO approvals'. This configuration allows an autonomous agent to execute code and modify the file system without user oversight. - [PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: The skill is designed to fetch and process untrusted external data via
git cloneandgh pr checkout(as seen in the 'Reviewing PRs' and 'Parallel Issue Fixing' sections). - Boundary markers: There are no instructions provided to use delimiters or ignore instructions embedded within the external code or PR descriptions being processed.
- Capability inventory: The skill grants access to a full
bashshell with PTY support, background process management, and the ability to send raw input tostdinvia theprocesstool actions (write,submit). - Sanitization: There is no mention of sanitizing or validating the content of the PRs or repositories before they are analyzed and acted upon by the agents.
- [EXTERNAL_DOWNLOADS]: The skill includes instructions to install external software from non-vendor sources, specifically the
@mariozechner/pi-coding-agentvia NPM.
Recommendations
- AI detected serious security threats
Audit Metadata