explore-code
Warn
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script
scripts/write_outputs.pydynamically loads and executes a Python module from a path computed at runtime (../../../shared/scripts/write_explore_bundle.py). This technique allows the execution of arbitrary code located outside the skill's own directory, which is not verified during the security scan of the skill itself. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface in
scripts/plan_code_changes.py. It recursively scans and reads content from files within a target repository to identify targets for code modification. Malicious instructions embedded in strings or comments within these files could influence the agent's behavior when it processes the generated plan. - Ingestion points: Repository files are listed via
Path.rgloband read viaPath.read_textinscripts/plan_code_changes.py. - Boundary markers: Absent; the skill does not use delimiters or instructions to prevent the agent from obeying embedded commands in the source code it analyzes.
- Capability inventory: The skill has capabilities for file system exploration, reading file contents, and dynamic code loading.
- Sanitization: None; repository content is treated as data for planning without validation or escaping.
- [COMMAND_EXECUTION]: The planning logic in
scripts/plan_code_changes.pyis designed to identify 'candidate edit targets' and suggest 'proposed code tracks' (e.g., 'import-glue', 'module-transplant-shim'). This workflow involves the agent modifying and potentially executing research code, which could be exploited if the planning phase is compromised via indirect injection.
Audit Metadata