codex-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [Indirect Prompt Injection] (HIGH): The skill reads uncommitted code changes, which are untrusted data sources. If the code being reviewed contains instructions specifically crafted to deceive an AI (e.g., within comments), these could be executed or obeyed by the agent when it processes the captured review output.\n
- Ingestion points:
SKILL.mdusestmux capture-paneto capture the output of thecodexCLI (which has processed untrusted source code) and returns it to the agent.\n - Boundary markers: Absent. There are no delimiters or system instructions used to encapsulate the external output or warn the agent to ignore instructions within it.\n
- Capability inventory: The skill has shell execution capabilities via
tmux, manages background processes, and performs file system cleanup (rm).\n - Sanitization: Absent. The captured text is returned directly to the agent's context without filtering or escaping.\n- [Command Execution] (LOW): The skill relies on multiple shell commands to orchestrate
tmuxsessions and sockets. This is a functional requirement but contributes to the overall risk profile by providing a mechanism for command-based orchestration of untrusted tools.
Recommendations
- AI detected serious security threats
Audit Metadata