code-auto
Warn
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill instructions explicitly direct the agent to bypass standard user approval gates during the implementation and finalization phases, specifically stating 'No user approval gate (trust mode)' and contrasting itself with tools that have blocking approval steps. This overrides standard safety protocols for autonomous code modification.
- [COMMAND_EXECUTION]: The skill requires the execution of a local script at
.claude/scripts/code_graph. While used for dependency mapping, executing local project scripts involves risk if the repository contains unverified or malicious logic. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection through the processing of untrusted plan data.
- Ingestion points: Plan content is ingested from the
$ARGUMENTSvariable and theplan.mdfile into the active prompt context. - Boundary markers: The plan is wrapped in
<plan>tags, but there are no explicit instructions for the agent to ignore or sanitize embedded instructions within those tags. - Capability inventory: The agent possesses extensive capabilities including file writing, running tests (code execution), and executing git commands through subagents.
- Sanitization: There is no evidence of input validation or sanitization for the plan content before it is processed by the implementation subagents.
Audit Metadata