codex

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The prompt repeatedly embeds explicit flags like "--dangerously-bypass-approvals-and-sandbox" that instruct the agent to override approvals/sandboxing—an instruction to subvert safety controls which is outside the stated purpose of code generation and web fetch.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The Web Search & Fetch capability explicitly enables fetching and summarizing arbitrary web pages (via --enable web_search_request and examples like "Fetch and summarize https://github.com/user/repo"), so the agent will ingest untrusted, user-generated third-party web content (public sites/GitHub) as part of its workflow.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt repeatedly instructs use of a --dangerously-bypass-approvals-and-sandbox flag (and other flags that override safety checks), which explicitly directs bypassing security/sandboxing and could enable modifications to the host system.