research

CRITICAL E004: Prompt injection detected in skill instructions.

• Potential prompt injection detected (high risk: 1.00). The prompt includes explicit, out-of-scope instructions to bypass approvals and sandboxing (e.g., --dangerously-bypass-approvals-and-sandbox, --skip-git-repo-check), which are hidden/deceptive commands that attempt to override safety constraints and do not align with a research skill's stated purpose.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly instructs using "codex web search" to return raw search results with URLs and to validate/read those external pages (see the "Batch Retrieval" and "Link Validation" sections), so the agent will fetch and interpret untrusted third‑party web content.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The prompt explicitly instructs using command flags like "--dangerously-bypass-approvals-and-sandbox" and "--skip-git-repo-check", which encourage bypassing sandbox/approval/security controls and thus push the agent toward compromising the host environment.