codex-review
Warn
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes several shell commands to manage its workflow, including
git diffto capture local code changes,uuidgenfor session identification, andpythonheredocs to parse session IDs from execution logs. - [DATA_EXFILTRATION]: Local implementation plans and source code diffs are written to temporary files and transmitted to an external service via the
codexcommand-line tool. This involves sending potentially sensitive project context to a remote model provider. - [REMOTE_CODE_EXECUTION]: In its iterative mode, the skill is instructed to automatically apply code modifications directly to the local filesystem based on feedback from the Codex CLI. This autonomous code modification loop allows untrusted model output to change the codebase without an explicit human-in-the-loop validation step for each change.
- [EXTERNAL_DOWNLOADS]: The documentation suggests the installation of a non-standard package
@openai/codexvia NPM. While the scope indicates a well-known vendor, the package name does not align with official OpenAI distributions, which may lead to the installation of unverified tools. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface by processing external data (code and plans) and using model output to drive system changes.
- Ingestion points: Reads local
git diffoutput and implementation plans from the conversation context. - Boundary markers: None present; data is passed directly to temporary files for processing.
- Capability inventory: Includes file system writes (Step 8), command execution (git, python, codex), and network access (via the CLI tool).
- Sanitization: No validation or escaping is performed on the external model's feedback before the agent uses it to revise local code files.
Audit Metadata