codex-subagent

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 0.90). The prompt explicitly tells agents to "act autonomously, no permission asking" and uses flags like --dangerously-bypass-approvals-and-sandbox/--skip-git-repo-check, which are instructions to override safety/permission controls and thus constitute deceptive/overriding behavior outside the mere spawning/offloading purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly instructs spawned subagents to perform open web searches and summarize web content (e.g., the "Pure Web Search (mini)" and "codex exec ... 'Search web for [TOPIC]'" examples) and even documents flags to bypass sandbox/network restrictions, so the agent will fetch and interpret untrusted public web pages.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt repeatedly includes flags to "--dangerously-bypass-approvals-and-sandbox" and "act autonomously, no permission asking," which explicitly encourages bypassing security controls and acting without consent even though it doesn't directly instruct sudo, user creation, or system-file edits.