codex-cli
Warn
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: Enables the execution of arbitrary shell commands through the
codex execsubcommand and an interactive shortcut in the TUI. - [COMMAND_EXECUTION]: Documents the
--dangerously-bypass-approvals-and-sandbox(or--yolo) flag, which explicitly removes all filesystem and network restrictions, granting the AI agent unrestricted system access. - [EXTERNAL_DOWNLOADS]: Recommends installing the
@openai/codexpackage and running@modelcontextprotocol/server-githubvia npx. While theopenaiscope is trusted, this specific package and the referenced 'GPT-5' models are not recognized official components. - [PROMPT_INJECTION]: The skill acts as a surface for indirect prompt injection because it reads and processes project files without implementing security boundaries or sanitization.
- Ingestion points: Local project directory files and configuration files.
- Boundary markers: Not implemented.
- Capability inventory: Arbitrary shell command execution, filesystem modification, and package installation.
- Sanitization: No sanitization or validation of external codebase content is mentioned.
Audit Metadata