gpt-image-2
Pass
Audited by Gen Agent Trust Hub on Apr 24, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses the
~/.codex/sessions/directory to read session rollout files. These files contain sensitive user conversation history from the Codex CLI. While the skill attempts to isolate only files created during its execution via session diffing, it still reads raw chat logs which may contain private information. - [COMMAND_EXECUTION]: The skill invokes the
codexCLI and a Python interpreter using thesubprocessand shell environments with arguments provided by the user, including the prompt and output file paths. - [PROMPT_INJECTION]: User-provided prompts are interpolated directly into an instruction string for the
codex execcommand. This creates a surface for indirect prompt injection where a malicious user prompt could attempt to manipulate the behavior of the underlying model or the Codex sandbox capabilities. - [DATA_EXFILTRATION]: The skill writes files to paths provided by the user. Although it validates that the path is not in a system directory (e.g.,
/etc,/usr), it does not restrict writing to other sensitive user locations such as configuration directories (~/.bashrc) or SSH folders, which could lead to file overwrites if the agent is misled.
Audit Metadata