codex

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's research mode (see SKILL.md Mode Router and references/REFERENCE.md "Research template" and the command pattern codex --search exec) explicitly instructs running live web searches and returning clickable citations, so the agent will fetch and interpret open/public third-party web content that can influence decisions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly documents and encourages bypassing sandbox protections (danger-full-access / --dangerously-bypass-approvals-and-sandbox), shows how to disable sandbox/trust workspaces via user config, and requires using elevated access for git writes — all of which facilitate changing machine state and bypassing security controls.