codex-tools

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill explicitly promotes bypassing approvals and sandboxing to run arbitrary commands and modify files, enabling remote code execution, credential access, and supply-chain abuses even though it contains no directly obfuscated payload or explicit exfiltration code.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's "Web Search" section shows use of codex exec --search (e.g., "Research best practices for GraphQL") which performs searches of public web content that the agent is expected to read and use, exposing it to untrusted third-party/user-generated material.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly instructs bypassing approvals and sandboxes ("--dangerously-bypass-approvals-and-sandbox", "permission bypass") and enables arbitrary shell/file modifications and full automation, which pushes the agent to evade security controls and modify the host state.