coding-agent
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill relies on the Bash tool to execute complex shell commands for managing tmux sessions and spawning coding agents. It explicitly instructs the agent to use high-risk execution flags such as '--dangerously-skip-permissions' for Claude Code and '--yolo' or '--full-auto' for Codex, which bypass human-in-the-loop approvals for file modifications and command execution.
- [EXTERNAL_DOWNLOADS]: The skill contains instructions for downloading and installing external software, such as the '@mariozechner/pi-coding-agent' package from the NPM registry and cloning remote repositories via git. These operations target well-known services (GitHub, NPM) and are standard for developer-oriented tools.
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it is designed to ingest untrusted data from external sources during its primary workflow.
- Ingestion points: Processes external data from GitHub Pull Requests (
gh pr checkout) and Issue descriptions (Fix issue #78) in several automation examples inSKILL.md. - Boundary markers: Absent; the provided prompt templates do not include instructions for the agent to use delimiters or to disregard potential instructions embedded within the ingested data.
- Capability inventory: The skill possesses extensive capabilities including file system modification, network access via CLI tools (
git,gh), and arbitrary command execution within tmux sessions across ALL files. - Sanitization: Absent; external content is interpolated directly into prompts for the sub-agents without escaping or validation.
Audit Metadata