omx
Fail
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill promotes the use of the
--madmaxflag, which is explicitly documented to map to the--dangerously-bypass-approvals-and-sandboxparameter in the Codex CLI, effectively disabling security constraints. - [EXTERNAL_DOWNLOADS]: Installation requires fetching the
oh-my-codexand@openai/codexpackages from the public NPM registry, which are then executed with broad permissions. - [REMOTE_CODE_EXECUTION]: The skill implements a lifecycle hook system that automatically executes arbitrary JavaScript code from the
.omx/hooks/*.mjsdirectory during session events likesession-startorturn-complete. - [PROMPT_INJECTION]: Includes instructions to override default agent behavior using flags like
--yolo(minimal verification) and--madmax(bypass safety), which are intended to circumvent standard model safety protocols. - [PROMPT_INJECTION]: The skill orchestrates complex tasks using user input in automated pipelines such as
$autopilotand$team. These ingestion points lack defined boundary markers or sanitization logic, creating a surface for indirect prompt injection that can trigger subsequent tool use or file writes.
Recommendations
- AI detected serious security threats
Audit Metadata