codex-session-patcher
Fail
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is explicitly built to bypass AI safety filters and refusal responses. It provides templates for 'CTF prompt injection' that instruct the AI to ignore its default safety protocols by assuming a security researcher persona.
- [EXTERNAL_DOWNLOADS]: The installation process requires cloning a repository from a third-party GitHub account and installing its dependencies. This allows for the execution of unverified external code on the user's system.
- [COMMAND_EXECUTION]: The skill facilitates the execution of local shell scripts and installation of Python and Node.js packages. This provides a vector for arbitrary command execution during setup and web UI deployment.
- [DATA_EXFILTRATION]: The 'AI-Assisted Rewriting' feature is designed to send the contents of local session files—which often contain private source code, terminal history, and project metadata—to external LLM endpoints such as OpenAI or OpenRouter.
- [PROMPT_INJECTION]: The skill uses an 'ignore-previous-instructions' style approach by patching session histories to replace AI refusals with cooperative responses, effectively manipulating the context to force the AI to ignore its previous safety decisions.
Recommendations
- AI detected serious security threats
Audit Metadata