codex-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The SKILL.md explicitly enables network access and external Model Context Protocol (MCP) servers (e.g., mcp_servers.my-api url = "https://my-server.example.com/mcp", npx @modelcontextprotocol/server-github) and a --live-search flag, so the agent will fetch and consume untrusted third-party web content that can influence its actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly documents and encourages bypassing sandboxing and approval controls (flags like --dangerously-bypass-approvals-and-sandbox / --yolo and sandbox mode danger-full-access), running arbitrary shell commands, and installing global packages, which directly enable the agent to modify the host system and compromise machine state.