codex
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill dynamically assembles shell commands using user-supplied inputs, such as task prompts and directory paths. This creates a potential vector for command injection if the agent fails to properly escape or validate these inputs before execution.
- [COMMAND_EXECUTION]: Instructions mandate the use of the
--skip-git-repo-checkflag, which bypasses built-in safety checks regarding the execution environment's version control state. - [COMMAND_EXECUTION]: The skill encourages the use of high-impact flags such as
--sandbox danger-full-access(granting network and broad file system access) and--full-auto(allowing automated changes). Although user permission is required, these features significantly increase the potential impact of any malicious activity. - [EXTERNAL_DOWNLOADS]: The skill relies on an external binary named
codex. While it does not download it at runtime, the skill's functionality is entirely dependent on this external tool, whose security posture and origin are not defined within the skill itself. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes and summarizes output from an external AI model (Codex). Malicious instructions or code snippets processed by Codex could potentially influence the agent's behavior. The skill includes documentation instructing the agent to critically evaluate Codex's output as a mitigation strategy.
Audit Metadata