Giga Coding Agent
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: giga-coding-agent Version: 1.0.0 The skill instructs the AI agent to use the `codex` tool with the `--yolo` flag (e.g., in `SKILL.md`), which is explicitly described as bypassing sandboxing and approvals. This creates a severe remote code execution (RCE) vulnerability, as a malicious prompt could leverage this capability to execute arbitrary commands on the host system without restrictions. While the skill itself does not contain explicit malicious payloads or instructions for data exfiltration, the enablement of such a dangerous capability makes it suspicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A coding agent could run commands and modify files in the project without the usual safety checks.
The skill explicitly recommends a mode that bypasses approvals and sandboxing for an autonomous coding agent.
bash workdir:~/project background:true command:"codex --yolo \"Build a snake game with dark theme\"" # Note: --yolo is a shortcut for --dangerously-bypass-approvals-and-sandbox
Avoid --yolo except in disposable sandboxes or temporary clones, and require explicit user confirmation before any no-sandbox or no-approval run.
A background coding process may keep running, editing files, or waiting for input after the user has moved on.
The primary pattern is to spawn other coding agents as background processes, which can continue operating until monitored or killed.
Use **bash background mode** for non-interactive coding work. ... bash workdir:~/project/folder background:true command:"<agent command>"
Use clear time limits, monitor sessions with process logs, and kill background sessions when the task is complete.
The agent could publish comments or push code changes to repositories under the user's identity.
The workflow tells agents to post GitHub PR comments and to commit and push code, which can use the user's existing GitHub or git credentials.
gh pr comment <PR#> --body "<review content>" ... codex --yolo 'Fix issue #78: <description>. Commit and push.'
Require manual review and explicit confirmation before posting PR comments, committing, pushing, or creating PRs; prefer limited-scope credentials.
A mistake in the workflow or prompt could affect many pull requests, branches, or public comments at once.
The skill encourages running multiple autonomous coding-agent jobs in parallel across PRs, then posting results back to GitHub.
# Deploy the army - one Codex per PR! bash workdir:~/project background:true command:"codex exec \"Review PR #86. git diff origin/main...origin/pr/86\"" bash workdir:~/project background:true command:"codex exec \"Review PR #87. git diff origin/main...origin/pr/87\""
Limit parallelism, isolate each run in a disposable worktree or clone, and review all outputs before applying or publishing them.
A user may overestimate the containment provided by the working directory and run agents near sensitive files.
The text frames the working directory as if it limits what the agent can see, but a workdir alone is not a true filesystem sandbox, especially when later using no-sandbox modes.
Start agent in target directory ("little box" - only sees relevant files)
...
Why workdir matters: Agent wakes up in a focused directory, doesn't wander off reading unrelated filesDescribe workdir as a convenience, not a security boundary; use real sandboxes, temporary clones, and least-privilege file access for sensitive projects.
Installing an unpinned global package can change the local environment and depends on the package source staying trustworthy.
The optional Pi setup installs a global npm package without a pinned version. This is purpose-aligned, but users should notice the external dependency.
# Install: npm install -g @mariozechner/pi-coding-agent
Install only from trusted sources, consider pinning the package version, and review the package before using it in sensitive repositories.
Project code or prompts may be processed by the configured coding-agent provider.
The skill passes project-directed tasks to external coding-agent CLIs and providers. This is expected for the purpose, but it creates a data boundary users should understand.
bash workdir:~/project background:true command:"claude \"Your task\"" ... bash workdir:~/project background:true command:"pi --provider openai --model gpt-4o-mini -p \"Summarize src/\""
Use only approved providers for confidential code and avoid pointing the agent at sensitive repositories unless the provider and account settings are acceptable.