codex-chat

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill includes explicit web-search and ingestion options (e.g., the "--search" flag shown in "With web search" and examples like codex --search "Research and implement OAuth2" and accepts external images via -i), so the agent will fetch and read open/public third-party (potentially user-generated) content as part of its workflow.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly encourages bypassing security/sandboxing with flags like --dangerously-bypass-approvals-and-sandbox and "Auto-execute everything," which directs the agent to run automated, potentially system-modifying actions that can compromise the machine state.