codex
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill interpolates user-controlled text directly into a shell command:
npx @openai/codex exec --full-auto "<prompt>". This creates a surface for command or argument injection if the input contains shell metacharacters. - [REMOTE_CODE_EXECUTION] (MEDIUM): The use of the
--full-autoflag with a code-generation tool suggests the skill is designed to generate and execute code without a human-in-the-loop, which is a significant security risk if the prompt is manipulated. - [EXTERNAL_DOWNLOADS] (LOW): The skill uses
npxto fetch and run the@openai/codexpackage. While 'openai' is a trusted organization, the use ofnpxinvolves runtime fetching of code from a public registry. - [PROMPT_INJECTION] (LOW): The skill is vulnerable to indirect prompt injection because it processes untrusted user input and feeds it into an execution environment with high capabilities.
- Ingestion points:
$ARGUMENTSand natural language triggers defined inSKILL.md. - Boundary markers: Weak; the prompt is wrapped in double quotes in the shell command but lacks explicit delimiters or instructions to ignore embedded commands.
- Capability inventory: Full execution of generated code via
@openai/codex. - Sanitization: None detected; the input is passed directly to the tool.
Audit Metadata