learn
Pass
Audited by Gen Agent Trust Hub on Mar 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/extract_recent_transcript.pyexecutes system utilities to gather environment and session metadata.\n - Evidence: It runs
ps,tty, andlsofcommands viasubprocess.runto identify active processes and locate session logs within the~/.codex/sessions/directory.\n - These system calls are restricted to environment discovery tasks and do not process arbitrary external input as command arguments.\n- [PROMPT_INJECTION]: The skill's architecture facilitates the extraction of instructions from untrusted conversation history, posing a risk of indirect prompt injection.\n
- Ingestion points: Conversation transcripts are read from local JSONL files and existing
AGENTS.mdfiles to identify corrections or preferences.\n - Boundary markers: The skill lacks structural delimiters or programmatic sanitization to isolate extracted text from the rest of the conversation content during the extraction process.\n
- Capability inventory: The skill possesses the capability to write to the local file system to modify agent configuration files (
AGENTS.md), which influences future agent behavior.\n - Sanitization: A mandatory user confirmation checkpoint ('Always confirm before writing into AGENTS.md') is implemented as the primary defense against the persistence of malicious instructions.
Audit Metadata