codex-team
Warn
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs shell commands by interpolating user-provided task descriptions directly into double-quoted strings, as seen in the pattern
codex exec ... "<prompt>". This allows for shell command injection via command substitution (e.g., using backticks or$()) if the task description is not properly sanitized. - [EXTERNAL_DOWNLOADS]: The documentation instructs users to install a global NPM package
@openai/codex. This specific package name is not a verified official distribution from OpenAI (whose primary package isopenai), presenting a supply chain risk such as typosquatting or dependency confusion. - [REMOTE_CODE_EXECUTION]: The skill uses the
Bashtool to execute an external CLI (codex exec) with broad permissions, including the--full-autoflag. It also documents the use of the-s danger-full-accessflag, which explicitly requests the removal of sandbox restrictions for the executed sub-agents. - [DATA_EXFILTRATION]: The skill references external documentation regarding the use of HTTP hooks that can POST JSON data to remote URLs, which establishes a potential surface for data exfiltration if the orchestration platform is configured with malicious endpoints.
Audit Metadata