codex-cli

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content is not an explicit malware payload but it exposes multiple high‑risk capabilities (approval bypass flags, "danger-full-access" sandbox, remote MCP server, CI usage with secrets, automated install/run/patch workflows) that enable remote code execution, system compromise, and potential data/credential exfiltration if misused or if the CLI is malicious—so it represents a high-risk tooling pattern rather than harmless documentation.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill directly performs web searches and ingests open web content (see "Web Search Integration" and multiple examples using codex exec --search and saving research to files like plan.md which Claude then reads/uses), meaning it consumes untrusted third‑party user/public website content as part of its workflow.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly promotes bypassing approvals and sandboxes (e.g., --dangerously-bypass-approvals-and-sandbox, "danger-full-access"), and instructs full-automation workflows that grant complete system control and perform installs/changes that can modify system state or require elevated privileges.