omx
Fail
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill's recommended launch profile includes the
--madmaxflag. This flag explicitly maps to the Codex CLI's--dangerously-bypass-approvals-and-sandboxsetting, which disables the platform's requirement for user confirmation before executing tools and removes the security sandbox protecting the host environment. - [EXTERNAL_DOWNLOADS]: The installation process requires the global installation of third-party packages (
oh-my-codexand@openai/codex) from the public NPM registry. - [DYNAMIC_EXECUTION]: The skill features a hook extension system that executes custom JavaScript files (
.mjs) found in the local.omx/hooks/directory during lifecycle events such as session start or turn completion. - [PROMPT_INJECTION]: The tool is designed to automatically inject the contents of a local
AGENTS.mdfile into the model's system instructions. This creates a surface for indirect prompt injection where malicious instructions inside a project repository could override the agent's behavior. - Ingestion points: The
<cwd>/AGENTS.mdfile is read and passed to the model via themodel_instructions_fileconfiguration. - Boundary markers: None specified in the documentation to separate untrusted file content from system instructions.
- Capability inventory: The skill uses Bash, Read, Write, Grep, and Glob tools.
- Sanitization: No sanitization or validation of the injected instruction file is mentioned.
Recommendations
- AI detected serious security threats
Audit Metadata