The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts/run.py script contains a command injection vulnerability in the _build_tmux_wrapper function. Several variables derived from user-controlled input, such as prefix, session_name, and signal_channel, are interpolated into a generated Bash script template using double quotes (e.g., PREFIX="{prefix}") without proper shell escaping (such as shlex.quote). An attacker can execute arbitrary commands by providing a payload like $(id) to the --prefix argument.
[COMMAND_EXECUTION]: A secondary injection vulnerability exists within the generated Bash script's use of osascript. The NOTIFY_MSG variable incorporates the user-controlled prefix and is not sanitized before being used in an osascript command line, potentially allowing for AppleScript-based injection.
[COMMAND_EXECUTION]: The skill relies on the practice of dynamically generating and executing temporary shell scripts. Because user-controlled input is incorporated into these scripts without using security best practices for all fields, it creates a high-severity security risk.
[COMMAND_EXECUTION]: The skill uses subprocess.run to interact with system tools like tmux and bash. While these interactions are part of the skill's core functionality, the identified injection vulnerability allows these tools to be misused for unauthorized actions.
[COMMAND_EXECUTION]: (Indirect Prompt Injection Surface) The skill ingests untrusted data via the --task argument and possesses capabilities including shell command execution and file system access. 1. Ingestion points: --task parameter in scripts/run.py. 2. Boundary markers: None. 3. Capability inventory: Execution of tmux and bash via subprocess.run; writing to /tmp/codex-tmux. 4. Sanitization: Task content is handled via file writes and quoted subshells, which prevents direct shell injection but fails to sanitize the content for downstream processing.

codex-tmux