copilot-manager
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Uses shell commands via
bash rmto delete configuration files and entire skill directories when a user requests the removal of a customization. - [CREDENTIALS_UNSAFE]: Accesses and parses sensitive configuration files that may contain API keys, tokens, or private environment settings, including
~/.copilot/config.json,~/.copilot/mcp-config.json, and.vscode/settings.json. - [PROMPT_INJECTION]: Analyzes and reconciles various markdown instruction files (e.g.,
CLAUDE.md,GEMINI.md, and.instructions.mdfiles) which creates a surface for indirect prompt injection if these files are sourced from an untrusted repository. - Ingestion points: Reads content from project-level and user-level guidance files, agents, and prompts.
- Boundary markers: Not explicitly defined in the discovery or audit logic for parsing these files.
- Capability inventory: Employs file reading, editing, and deletion capabilities across the local filesystem.
- Sanitization: Relies on the agent's internal logic for parsing YAML frontmatter and markdown body.
Audit Metadata