codex
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (LOW): The skill has a surface for indirect prompt injection as it ingests and processes entire codebases which may contain malicious instructions.
- Ingestion points: Local repository files processed via
codex exec. - Boundary markers: Absent; the agent is not instructed to ignore embedded instructions in the files it analyzes.
- Capability inventory: Includes command execution (
codex) and the ability to write to the workspace (workspace-writesandbox). - Sanitization: No sanitization of ingested file content is performed.
- Unverifiable Dependencies & Remote Code Execution (LOW): The installation instructions direct users to clone the skill from an untrusted GitHub repository (
skills-directory/skill-codex). - Obfuscation (LOW): All suggested commands suppress standard error (
2>/dev/null), which obscures potential security alerts, failures, or suspicious behavior from the underlying CLI tool. - Metadata Poisoning (LOW): The documentation references non-existent models (e.g.,
gpt-5), which could lead to confusion regarding the tool's actual capabilities and security posture. - Dynamic Execution (SAFE): The skill uses the
codexCLI to perform its primary function, which involves standard command execution for its intended purpose.
Audit Metadata