explore-code
Warn
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script scripts/write_outputs.py dynamically loads and executes an external Python module from a path computed at runtime using relative directory traversal.
- Evidence: The script resolves the path ../../shared/scripts/write_explore_bundle.py and uses importlib.util.spec_from_file_location and spec.loader.exec_module to execute it.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted structured research data that influences the resulting code-change plans.
- Ingestion points: The scripts/plan_code_changes.py script accepts JSON input via the --variant-spec-json, --idea-card-json, and --analysis-json arguments.
- Boundary markers: No delimiters or instructions are used to separate untrusted content from the system context.
- Capability inventory: The skill can plan and perform file modifications and execute scripts, allowing malicious data to impact repository state.
- Sanitization: Content is parsed as JSON but not sanitized or validated against natural language instruction patterns.
Audit Metadata