retro-copilot
Warn
Audited by Gen Agent Trust Hub on May 20, 2026
Risk Level: MEDIUMPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: Vulnerable to indirect prompt injection due to the ingestion of untrusted data from error logs, diffs, and conversation summaries to generate configuration updates.
- Ingestion points: Ingests logs, terminal history, and conversation context (defined in SKILL.md Phase 1).
- Boundary markers: Lacks explicit delimiters or instructions to ignore embedded directives in the ingested data.
- Capability inventory: Permissions to write to multiple files in
~/.copilot, including executable hooks and MCP configurations. - Sanitization: Relies on an LLM-based "Safety & Scope Gate" which can be bypassed by adversarial content.
- [DATA_EXFILTRATION]: Accesses and modifies sensitive user configuration files within the
~/.copilotdirectory, specifically targetingmcp-oauth-config,permissions-config.json, andsettings.jsonwhich may contain credentials or internal environment details. - [COMMAND_EXECUTION]: Modifies automated behavior definitions in
~/.copilot/hooks/**/*.jsonand tool configurations inmcp-config.json. The "safe-auto" mode allows the skill to apply these changes without user review, creating a potential path for persistent command execution if malicious logic is successfully injected into the source data.
Audit Metadata