codex-subagent
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The documentation in
DEVLOG.mdexplicitly advocates for using the--dangerously-bypass-approvals-and-sandboxflag. This bypasses the security boundaries of the agent, allowing unrestricted command execution and network access without user confirmation.\n- DATA_EXFILTRATION (MEDIUM): The scriptsscripts/codex-parent-settings.ps1andscripts/codex-parent-settings.shaccess the user's local configuration at~/.codex/config.toml. Accessing local configuration files is a sensitive operation that can expose environment details or user preferences.\n- PROMPT_INJECTION (LOW): The skill documentation provides instructions on how to override default agent safety constraints and sandbox permissions.\n- PROMPT_INJECTION (LOW): Indirect Prompt Injection Surface identified.\n - Ingestion points:
~/.codex/config.toml\n - Boundary markers: Absent\n
- Capability inventory: Unrestricted command execution via sandbox bypass flags\n
- Sanitization: Absent. The skill reads external configuration data and uses it to drive subagent behavior without validation or delimiters.
Recommendations
- AI detected serious security threats
Audit Metadata