codex
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill mandates the use of the
--dangerously-bypass-approvals-and-sandboxflag for all operations. This flag is designed to explicitly circumvent security protocols, allowing the Codex CLI to perform system actions without human oversight or restricted environment controls. - [EXTERNAL_DOWNLOADS] (MEDIUM): The 'Web Search & Fetch' capability enables the tool to retrieve content from any URL (e.g., GitHub repositories or documentation sites). Processing untrusted external data in an environment where the security sandbox has been disabled (via the bypass flag) creates a high risk of indirect prompt injection attacks.
- [DATA_EXFILTRATION] (MEDIUM): The skill provides the ability to read the entire working directory using the
@.syntax. Because the tool also has web access enabled (--enable web_search_request), there is a risk that sensitive local files could be analyzed and subsequently leaked to external services or malicious actors. - [Category 8: Indirect Prompt Injection] (LOW): This skill has a significant attack surface for indirect prompt injection.
- Ingestion points: Capability 2 fetches web pages and GitHub repositories.
- Boundary markers: None detected; instructions do not specify any delimiters to separate web content from system instructions.
- Capability inventory: Full file system read access (
@.), code generation, and web access. - Sanitization: No evidence of sanitization or filtering for fetched content before processing.
Recommendations
- AI detected serious security threats
Audit Metadata