omx
Fail
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill explicitly recommends the use of the
--madmaxflag, which is documented to map to the--dangerously-bypass-approvals-and-sandboxsetting. This configuration bypasses primary security guardrails and sandboxing, enabling the agent to execute actions without user approval or safety constraints. - [EXTERNAL_DOWNLOADS]: The skill instructions require the installation of the
oh-my-codexpackage from the public npm registry. This introduces an external third-party dependency into the execution environment. - [REMOTE_CODE_EXECUTION]: The skill provides a 'Hook Extensions' feature that, when enabled via
OMX_HOOK_PLUGINS=1, automatically executes JavaScript files (.mjs) from a local.omx/hooks/directory. This creates a mechanism for arbitrary code execution based on the contents of the local project files. - [PROMPT_INJECTION]: The skill implements an automated injection of the
AGENTS.mdfile from the current working directory into the model's system instructions. This represents a surface for indirect prompt injection. - Ingestion points: Project-level
AGENTS.mdfile in the current working directory. - Boundary markers: None identified; the file content is directly used as a configuration parameter for model instructions.
- Capability inventory: Includes shell access via Bash, file system operations via Write, and coordination of multiple autonomous agents.
- Sanitization: None; the content of the local file is ingested and treated as authoritative instructions for the agent.
Recommendations
- AI detected serious security threats
Audit Metadata