copier
Warn
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill instructs the agent to utilize the
--trustand--UNSAFEflags. These flags enable the execution of arbitrary shell commands defined in the_tasksand_migrationssections of acopier.ymlfile, as well as the loading of custom Python-based Jinja2 extensions. This capability can be exploited if an agent is directed to use a malicious or untrusted remote template. - [EXTERNAL_DOWNLOADS]: The skill facilitates downloading project templates from external sources including GitHub, GitLab, and arbitrary Git URLs. These remote files are then processed locally, creating a vector for the introduction of malicious content or code.
- [COMMAND_EXECUTION]: The skill's primary function is the execution of the
copierCLI tool. This involves spawning subprocesses that perform file system operations and network requests based on instructions found in both the skill and the processed templates. - [PROMPT_INJECTION]: The skill contains instructions that direct the agent to bypass built-in tool safety mechanisms. Specifically, the text 'Use --trust (or --UNSAFE) whenever a template defines _tasks, _migrations, or _jinja_extensions' encourages the agent to automatically enable high-risk features when interacting with potentially untrusted third-party data.
- [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill is designed to ingest and process data from external Git repositories (templates). These templates can contain Jinja2 expressions and shell tasks that are executed by the host system. There are no boundary markers or sanitization steps mentioned to isolate the agent from instructions embedded within these third-party templates.
Audit Metadata