copilot-cli
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to indirect prompt injection (Category 8). 1. Ingestion points: The skill automatically loads 'AGENTS.md' or '.copilot/AGENTS.md' from the working directory. 2. Boundary markers: Absent; no delimitation or ignore-embedded-instructions warnings are used. 3. Capability inventory: Includes full shell execution (copilot -p), file write (--share), and network access (--allow-all-urls). 4. Sanitization: Absent. A malicious repo can use AGENTS.md to hijack the agent and execute commands via the provided flags.
- [COMMAND_EXECUTION] (HIGH): The skill explicitly promotes the use of '--allow-all' and '--yolo' flags, which bypass user confirmation for shell command execution. This allows an agent, potentially influenced by a malicious prompt, to perform unauthorized operations on the host system.
- [DATA_EXFILTRATION] (HIGH): Capabilities such as '--allow-all-paths' combined with '--allow-all-urls' or '--share-gist' provide a complete path for exfiltrating sensitive information from the local environment to external attacker-controlled endpoints.
- [REMOTE_CODE_EXECUTION] (MEDIUM): The 'copilot update' and plugin management commands involve downloading and executing external code at runtime. The skill lacks integrity verification or source validation for these operations, presenting a potential supply chain risk.
Recommendations
- AI detected serious security threats
Audit Metadata