codebase-researcher
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) because it is designed to ingest and process untrusted codebase content.
- Ingestion Points: Subagents read project files using
Read,Grep, andGlobacross all discovered directories inscripts/deep_research.sh. - Capability Inventory: Subagents are explicitly granted the
Bashtool in thegenerate_subagents_jsonfunction, providing a direct path to system command execution. - Boundary Markers: None identified; the skill does not use delimiters or specific instructions to prevent the agent from obeying commands embedded in source code or documentation.
- Sanitization: None; codebase content is directly interpolated into agent context.
- [COMMAND_EXECUTION] (HIGH): The skill metadata in
SKILL.mdand the subagent generation logic inscripts/deep_research.shexplicitly allow theBashtool. While the primary script attempts to use--permission-mode planas a mitigation, the skill's structure encourages spawning agents with shell access that can be exploited via the aforementioned injection vector. - [DATA_EXFILTRATION] (MEDIUM): Because the skill aggregates information into persistent documentation files (e.g.,
CLAUDE.md,references/), an attacker could use indirect prompt injection to force the agent to read sensitive local files (like.envor SSH keys) and write their contents into the publicly visible research artifacts.
Recommendations
- AI detected serious security threats
Audit Metadata