codex
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill is designed to run the
codexCLI tool in--full-automode by default. This grants the subagentworkspace-writecapabilities and automatic approval for changes, allowing for broad, autonomous modification of the local filesystem and repository state. - [PROMPT_INJECTION] (MEDIUM): The task description from
$ARGUMENTSis interpolated directly into theCODEX_PROMPTheredoc. If the agent is instructed to use this skill on untrusted input (e.g., 'fix the bug described in this issue: [malicious content]'), an attacker could inject instructions to override the subagent's constraints or perform unauthorized actions. - [DATA_EXFILTRATION] (LOW): The skill provides the subagent with tools to read the entire codebase (
Glob,Grep,Read,cat). While necessary for its primary purpose, these tools could be abused to locate and extract sensitive information like environment variables or local configuration files if a malicious task is executed. - [INDIRECT_PROMPT_INJECTION] (LOW):
- Ingestion points: The
$ARGUMENTSvariable is used to populate the<task>section of the prompt (SKILL.md). - Boundary markers: The prompt uses structured XML-like tags (
<context>,<task>,<constraints>,<output>) to separate instructions from data, which provides some protection but can be bypassed by sophisticated injections. - Capability inventory: Full file system write access (via
codex), git repository management, and the ability to execute background tasks. - Sanitization: No sanitization or escaping of the user-provided arguments is performed before interpolation into the subagent prompt.
Audit Metadata