codex
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- Privilege Escalation (HIGH): The skill encourages the use of the
--sandbox danger-full-accessflag, which grants the tool unrestricted access to the host system and network, bypassing typical security boundaries. - Metadata Poisoning (MEDIUM): The skill uses deceptive and fictional claims about 'GPT-5.2' and specific benchmark stats (76.3% SWE-bench) to establish false authority and persuade the agent to utilize the high-privilege tool.
- Obfuscation (MEDIUM): Instructions to append
2>/dev/nullto all execution commands serve to hide stderr output. While described as suppressing 'thinking tokens,' this effectively silences error messages, warnings, or logs that would otherwise alert a user to malicious or failing behavior. - Command Execution (LOW): The skill relies on piping user input via
echo "prompt" | codex exec, which presents a shell injection risk if the agent interpolates untrusted external data into the prompt string without adequate sanitization or escaping. - Prompt Injection (LOW): The instruction to always use
--skip-git-repo-checkbypasses a built-in safety mechanism designed to verify the integrity or context of the code being modified.
Recommendations
- AI detected serious security threats
Audit Metadata