gepetto
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (HIGH): Identified in
references/external-review.md. The skill provides instructions to execute bash commands that use shell substitution$(cat '<planning_dir>/claude-plan.md')to inject file contents into command arguments for thegeminiandcodexCLIs. Becauseclaude-plan.mdis derived from web research, an attacker can use indirect prompt injection to insert shell metacharacters (e.g., backticks, semicolons) into the plan, leading to arbitrary command execution on the host system. - [PROMPT_INJECTION] (HIGH): The skill implements a high-risk Indirect Prompt Injection surface (Category 8) through its research protocol.
- Ingestion points:
references/research-protocol.mdutilizesWebSearchandWebFetchto ingest untrusted data from the internet. - Boundary markers: No boundary markers or delimiters are defined to isolate untrusted web content from the agent's instructions.
- Capability inventory: The ingested data is synthesized into a plan that is subsequently processed by shell-executing tools and subagents.
- Sanitization: No sanitization or validation of the fetched web content is present.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill relies on external CLI dependencies (
geminiandcodex). It explicitly instructs the agent to use dangerous flags such as--approval-mode yoloand--full-auto, which are designed to bypass human-in-the-loop approvals and interactive safety prompts. - [DATA_EXFILTRATION] (MEDIUM): The
external-review.mdprotocol sends the entire contents of implementation plans (which may contain sensitive architecture or proprietary logic) to external LLM providers (Google and OpenAI) via CLI tools, creating a risk of data exposure.
Recommendations
- AI detected serious security threats
Audit Metadata