codex-claude-cursor-loop
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill uses a pattern of interpolating LLM-generated content (Claude's plans and Cursor's implementation summaries) directly into shell command strings.
- Evidence: Phase 2, Phase 5, and Phase 7 use
echo "[content]" | codex exec. If the LLM content contains shell metacharacters like backticks, semicolons, or dollar signs, it can lead to arbitrary command execution on the host runner. - Evidence: Phase 4 and Phase 7 pass LLM content as arguments to
cursor-agent. If the content contains characters that break the argument wrapping, it can lead to command injection. - EXTERNAL_DOWNLOADS (MEDIUM): The skill requires the external CLI tools
codexandcursor-agentto be installed and available in the PATH. These are not standard system utilities and their security profile depends on the environment setup. - INDIRECT_PROMPT_INJECTION (LOW): The skill implements a multi-step loop where it reads and processes data generated by different agents, creating an attack surface for indirect injection.
- Ingestion points:
Phase 6: Claude's Final Reviewreads implemented code from the filesystem;Phase 5reads implementation summaries. - Boundary markers: Absent. Content is interpolated directly into prompts and shell commands.
- Capability inventory:
cursor-agent(file system write access),codex exec(logic execution). - Sanitization: None. There is no escaping or validation of the strings before they are used to influence the next step in the loop.
Recommendations
- AI detected serious security threats
Audit Metadata