codex
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute an external CLI tool named
codexwith high-privilege configurations. - Evidence: The documentation explicitly suggests the use of the
--sandbox danger-full-accessflag, which allows the tool to bypass standard sandbox restrictions, granting network access and broad system permissions. - [COMMAND_EXECUTION]: Command patterns include
2>/dev/nullby default to suppress the standard error stream. - Evidence: Suppressing stderr hides potentially critical security warnings, diagnostic errors, or 'thinking tokens' that would otherwise inform the user or agent of unexpected or malicious behavior during execution.
- [INDIRECT_PROMPT_INJECTION]: The skill is designed to process external code and user-provided prompts, creating an attack surface for indirect injection.
- Ingestion points: Untrusted user prompts and workspace files are passed directly to the
codex execandcodex resumecommands inSKILL.md. - Boundary markers: No explicit boundary markers or instructions to ignore embedded commands are present in the provided templates.
- Capability inventory: The tool has significant capabilities including file system write access (
workspace-write) and full network access (danger-full-access). - Sanitization: There is no evidence of sanitization or validation logic to inspect the content being processed before execution.
Audit Metadata