assign
Fail
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs and executes shell commands for external tools (
opencode,codex) by substituting user-provided variables like<model>and<dir>into command templates defined inREFERENCE.md. This pattern is vulnerable to argument injection if a user provides a malicious string containing shell metacharacters or additional flags. - [COMMAND_EXECUTION]: The skill explicitly instructs the agent to use flags such as
--dangerously-skip-permissionsandapproval_policy=never. These flags are designed to suppress interactive user approval prompts for file modifications and tool execution, effectively granting the downstream agent unrestricted access to the local environment and bypassing built-in safety mechanisms. - [PROMPT_INJECTION]: The skill creates an attack surface for indirect prompt injection. It ingests untrusted user input and pipes it into a secondary AI agent. Because the skill suppresses the secondary agent's permission prompts and safety filters, a malicious prompt could successfully instruct the downstream agent to perform harmful actions on the user's system without oversight.
Recommendations
- AI detected serious security threats
Audit Metadata