codex-tools
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill provides multiple examples in SKILL.md that use the --dangerously-bypass-approvals-and-sandbox flag, which explicitly instructs the agent to ignore safety guardrails and user confirmation for shell command execution.
- [REMOTE_CODE_EXECUTION] (HIGH): The automation patterns for 'setup_project' and 'automate_refactoring' involve generating and running code with full system access. Without sandboxing enabled, this allows for the execution of arbitrary code with the permissions of the local user.
- [PROMPT_INJECTION] (LOW): The use of the --search flag combined with full automation creates an attack surface for indirect prompt injection. Untrusted content from search results could manipulate agent actions while security filters are disabled. Evidence: Ingestion (web search), Capability (system-wide shell/file access), Boundary markers (absent), Sanitization (absent).
Recommendations
- AI detected serious security threats
Audit Metadata