coding-agent

Warn

Audited by Gen Agent Trust Hub on Jun 23, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill instructs the agent to use highly permissive flags like --yolo for Codex and --permission-mode bypassPermissions for Claude Code. These flags are intended to disable sandboxing and human-in-the-loop approval processes, allowing sub-agents to execute arbitrary commands without oversight.\n- [COMMAND_EXECUTION]: The bash tool definition includes an elevated parameter, which allows for the execution of commands on the host system rather than within a restricted sandbox environment.\n- [EXTERNAL_DOWNLOADS]: The skill fetches and installs the Claude Code CLI from the official Anthropic NPM registry and the Codex CLI from the official OpenAI NPM registry.\n- [EXTERNAL_DOWNLOADS]: The instructions recommend installing @mariozechner/pi-coding-agent from NPM, which is a third-party package from an unverified source, introducing a potential supply chain risk.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection when it clones repositories or checks out pull requests for automated processing. Malicious instructions in the ingested code could influence the behavior of the sub-agents, especially when safety bypasses are enabled.\n
  • Ingestion points: Reads code and pull request metadata via git clone and gh pr checkout operations (SKILL.md).\n
  • Boundary markers: Lacks instructions to use delimiters or specific ignore-commands when passing external codebase content to agents.\n
  • Capability inventory: Facilitates full shell access with PTY allocation and background execution capabilities (SKILL.md).\n
  • Sanitization: Does not perform sanitization or validation of instructions embedded within the ingested codebase or PR data.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 23, 2026, 06:06 AM
Security Audit — agent-trust-hub — coding-agent