codex-review
Warn
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/codex-review.shinvokescodex execwith the--yoloflag enabled via theCODEX_YOLOenvironment variable. This configuration is designed to execute model-generated actions or commands without interactive user confirmation.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because untrusted task descriptions are interpolated directly into prompts sent to the external Codex service inscripts/codex-review.sh.\n - Ingestion points: Command-line arguments passed as the
DESCRIPTIONvariable toscripts/codex-review.sh.\n - Boundary markers: None. User-controlled content is embedded directly in the prompt text without delimiters.\n
- Capability inventory: Execution of shell commands via
codex exec --yoloand access to the local filesystem.\n - Sanitization: No escaping, filtering, or validation is performed on the input content before interpolation.\n- [EXTERNAL_DOWNLOADS]: The skill requires the global installation of the
@openai/codexCLI package via npm, which serves as the interface for executing model-generated tasks.\n- [COMMAND_EXECUTION]: Theload_configfunction inscripts/common.shuses thesourcecommand on the project's.codex-review/config.envfile. This pattern allows for arbitrary shell command execution if the configuration file is modified by a malicious process or actor.
Audit Metadata