codex-review

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This content does not contain explicit obfuscated payloads or credential-stealing code, but it repeatedly instructs sending local/PR diffs to an external "codex" execution service and uses a clearly dangerous flag (--dangerously-bypass-approvals-and-sandbox) plus automated "apply" behavior, creating a high risk of unauthorized data exfiltration, remote code execution, and repository compromise if the external service or model is malicious or compromised.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly ingests PR bodies and diffs from GitHub (e.g., gh pr view --json body,diff | codex exec ...), which are untrusted, user-generated third‑party content that the agent is expected to read and interpret as part of its workflow.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt explicitly instructs use of a "--dangerously-bypass-approvals-and-sandbox" flag and automatised "auto-fix" + "apply" workflows that can execute arbitrary code and modify files (potentially outside the project), which constitutes bypassing security mechanisms and risks compromising the machine state.