product-analysis
Fail
Audited by Gen Agent Trust Hub on Jun 24, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the use of the
codexCLI with the--dangerously-bypass-approvals-and-sandboxflag. This explicitly directs the execution environment to disable built-in security protocols and sandbox restrictions, which is a high-risk practice that could allow unauthorized system modifications. - [COMMAND_EXECUTION]: The skill initiates multiple parallel background processes for both Claude Code agents and Codex CLI commands. Running complex analysis tasks in the background (
run_in_background: true) makes it significantly harder for a user to monitor and audit the agent's actions or the commands being executed in the shell. - [REMOTE_CODE_EXECUTION]: The skill utilizes the
codextool with a--full-autoconfiguration to analyze project files. This allows the tool to autonomously interpret and potentially execute logic derived from the codebase. If the codebase contains malicious or untrusted content, this could lead to unintended code execution within the user's environment. - [DATA_EXFILTRATION]: The skill performs deep scans of architectural files, configuration files (e.g.,
.env.example,package.json), and backend logic. While intended for generating a report, this process aggregates sensitive information about the project's internal structure and security patterns into a single output, which could be exposed if the agent context is compromised. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests and processes untrusted data from the local project files (source code, documentation, and configuration) without clear boundary markers or sanitization. This surface allows malicious instructions hidden within the analyzed files to potentially influence the behavior of the parallel agents.
- Ingestion points: Project files including
package.json,pyproject.toml,Cargo.toml,go.mod, and source code files (e.g.,App.tsx) analyzed in Phase 1. - Boundary markers: None identified in the instruction set to delimit untrusted project content from agent instructions.
- Capability inventory: Subprocess execution via shell (
which,ls,codex), parallel agent spawning (subagent_type: Explore), and file system reading. - Sanitization: No evidence of input validation or escaping for the content being processed by the agents or the Codex CLI.
Recommendations
- AI detected serious security threats
Audit Metadata