skills/kashyab12/uni-pstack/how/Gen Agent Trust Hub

how

Warn

Audited by Gen Agent Trust Hub on Jul 10, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to execute shell scripts and binaries not provided in the package, such as pstack/scripts/spawn-codex-worker.sh and codex exec. Executing scripts from unverified paths on the host system represents a significant security risk.\n- [PROMPT_INJECTION]: The skill includes directives to override platform model defaults and reasoning tiers with custom, non-standard identifiers like gpt-5.6-sol. This attempts to bypass the agent's standard operating configuration and redirect reasoning to unverifiable model profiles.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted codebase data and interpolates it directly into synthesis prompts.\n
  • Ingestion points: Code snippets and symbol definitions are gathered from the local codebase using Read and Grep in the explorer-prompt.md file.\n
  • Boundary markers: The {EXPLORER_FINDINGS_ALL} variable in explainer-prompt.md is not enclosed in security delimiters (e.g., XML tags) nor accompanied by instructions to ignore embedded commands.\n
  • Capability inventory: The agent environment has shell access (spawn-codex-worker.sh), file system write access, and Git integration.\n
  • Sanitization: There is no evidence of filtering or escaping logic applied to the data gathered by explorer agents before it is passed to the synthesizer.\n- [REMOTE_CODE_EXECUTION]: The "Codex delegation" and "Codex CLI workers" patterns indicate that code analysis results are sent to an external, third-party execution environment or model endpoint. This architecture could facilitate unauthorized remote code execution or sensitive data exposure if the external environment is compromised.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jul 10, 2026, 04:47 PM