codex
Fail
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides recipes and guidance for bypassing environment security restrictions. Its documentation suggests using flags like "--dangerously-bypass-approvals-and-sandbox" and policies like "danger-full-access" to enable file system operations that are normally blocked. It also advises users to lower system security thresholds, specifically suggesting the modification of the "kernel.apparmor_restrict_unprivileged_userns" sysctl on Linux systems and disabling the Windows sandbox functionality in configuration files.\n- [EXTERNAL_DOWNLOADS]: The skill instructs users to install the "@openai/codex" package from the NPM registry. This package is provided by a well-known organization.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to how it handles external input. \n
- Ingestion points: Untrusted input enters through the "$ARGUMENTS" variable in "SKILL.md" and is interpolated directly into the CLI command.\n
- Boundary markers: No delimiters or ignore-instructions warnings are used to isolate user input from the command logic.\n
- Capability inventory: The skill has the ability to execute commands via the "Bash" tool and modify files using the Codex CLI with potentially elevated sandbox permissions.\n
- Sanitization: User input is not validated, escaped, or sanitized before being passed to the tool.
Recommendations
- AI detected serious security threats
Audit Metadata