Skills
skills/cexll/myclaude/codeagent/Gen Agent Trust Hub

codeagent

Fail

Audited by Gen Agent Trust Hub on May 10, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [PROMPT_INJECTION]: The skill documents and enables several mechanisms to override safety protocols and bypass user interaction requirements.
  • The CODEAGENT_SKIP_PERMISSIONS environment variable and --skip-permissions flag are designed to suppress permission prompts from the underlying AI backend (Claude).
  • The CODEX_BYPASS_SANDBOX environment variable defaults to true, which explicitly disables sandbox security for code execution.
  • The agent configuration example includes a yolo: true parameter, suggesting a mode of operation that disregards safety checks.
  • [COMMAND_EXECUTION]: The skill facilitates the execution of complex shell commands through the codeagent-wrapper tool, which has broad access to the local system and development environment.
  • The tool is used for implementation, testing, and file manipulation across various AI backends.
  • Parallel task execution allows for the concurrent running of multiple shell-intensive tasks with dependency management.
  • [DATA_EXFILTRATION]: The skill provides tools for reading sensitive codebase information and sending it to external AI backends, while also allowing structured output to be written to files.
  • Information is transmitted to external backends including Codex, Claude, Gemini, and OpenCode.
  • The --output flag can be used to write task results and potentially sensitive summaries to specified file paths.
  • [PROMPT_INJECTION]: The 'Skill Injection' feature introduces a significant surface for indirect prompt injection by automatically loading instructions from local files into the AI's context.
  • Ingestion points: The skill auto-detects files like go.mod or package.json to load corresponding skill definitions from ~/.claude/skills/{name}/SKILL.md.
  • Boundary markers: Instructions are injected after stripping YAML frontmatter, but the documentation mentions no specific delimiters or 'ignore embedded instructions' warnings to isolate this content.
  • Capability inventory: The wrapper tool can perform file read/write operations, execute bash commands, and manage git worktrees.
  • Sanitization: There is no indication that injected skill content or task content provided via stdin or parallel configuration is sanitized, validated, or escaped before being processed by the AI.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 10, 2026, 04:17 AM