codex-chat
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The documentation repeatedly encourages using the
--dangerously-bypass-approvals-and-sandboxflag with thecodexCLI. This flag is designed to remove security boundaries that prevent an AI from executing arbitrary commands directly on the host machine. - Evidence: Found in multiple examples in
SKILL.md, such ascodex --dangerously-bypass-approvals-and-sandbox "Auto-execute everything". - REMOTE_CODE_EXECUTION (HIGH): By combining the
--searchcapability with the bypass flag, the skill enables a workflow where content retrieved from the internet can be automatically executed as code without human review or sandboxing. - Evidence:
codex --dangerously-bypass-approvals-and-sandbox --search "Build complete user authentication system". - PRIVILEGE_ESCALATION (HIGH): Disabling sandboxing allows the AI process to potentially access sensitive files, environment variables, and network resources that would otherwise be restricted, effectively escalating the AI's permissions to match the user's shell.
- INDIRECT_PROMPT_INJECTION (LOW): The skill possesses a significant attack surface for indirect injection via the
--searchflag. - Ingestion points: Web content via
--searchflag inSKILL.md. - Boundary markers: None identified in the provided instructions; instructions suggest the AI should "Auto-execute everything".
- Capability inventory: Full shell execution on the host, file writes (code generation), network access, and git commits.
- Sanitization: None identified; the instructions specifically recommend bypassing existing safeguards.
Recommendations
- AI detected serious security threats
Audit Metadata