codex-companion

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The companion runtime (scripts/lib/codex.mjs and the runAppServerTurn/captureTurn flow) explicitly records and ingests tool outputs such as "webSearch", "dynamicToolCall", and "mcpToolCall" into the assistant's reasoningSummary/final message and into actionable outputs (fileChanges/touchedFiles), and SKILL.md / PROMPTING.md encourage using tasks for "research" — meaning untrusted public web or tool results can be read and used to drive decisions or writes.