coding-agent
Warn
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to use highly permissive flags like
--yolofor Codex and--permission-mode bypassPermissionsfor Claude Code. These flags are intended to disable sandboxing and human-in-the-loop approval processes, allowing sub-agents to execute arbitrary commands without oversight.\n- [COMMAND_EXECUTION]: The bash tool definition includes anelevatedparameter, which allows for the execution of commands on the host system rather than within a restricted sandbox environment.\n- [EXTERNAL_DOWNLOADS]: The skill fetches and installs the Claude Code CLI from the official Anthropic NPM registry and the Codex CLI from the official OpenAI NPM registry.\n- [EXTERNAL_DOWNLOADS]: The instructions recommend installing@mariozechner/pi-coding-agentfrom NPM, which is a third-party package from an unverified source, introducing a potential supply chain risk.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection when it clones repositories or checks out pull requests for automated processing. Malicious instructions in the ingested code could influence the behavior of the sub-agents, especially when safety bypasses are enabled.\n - Ingestion points: Reads code and pull request metadata via
git cloneandgh pr checkoutoperations (SKILL.md).\n - Boundary markers: Lacks instructions to use delimiters or specific ignore-commands when passing external codebase content to agents.\n
- Capability inventory: Facilitates full shell access with PTY allocation and background execution capabilities (SKILL.md).\n
- Sanitization: Does not perform sanitization or validation of instructions embedded within the ingested codebase or PR data.
Audit Metadata