codex-claude-loop
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill directs the agent to execute shell commands by piping text into a CLI tool (e.g.,
echo "[Plan]" | codex exec). This is a classic shell injection vulnerability. Because the agent is instructed to place its plan directly into the command string without sanitization, an attacker can use shell metacharacters like backticks,$(), or;to execute arbitrary system commands with the agent's privileges. - PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection (Category 8). It ingests untrusted user input to generate plans that are subsequently used in the high-risk shell commands described above.
- Ingestion points: User instructions provided at the beginning of the engineering loop (e.g., "Make a login feature").
- Boundary markers: Absent; the skill does not use delimiters or instructions to isolate untrusted content within the shell command.
- Capability inventory: The skill makes use of the
codexCLI and Claude's file editing tools, providing a wide surface for post-exploitation. - Sanitization: No logic is provided to escape shell metacharacters or validate the AI-generated content before execution.
Recommendations
- AI detected serious security threats
Audit Metadata