domain-reviewer
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill's Python scripts, specifically
launch_codex_worker.pyandrun_codex_audit_loop.py, utilize thesubprocessmodule to dynamically construct and execute commands for thecodexCLI tool. These commands are built using strings and paths derived from external mode configuration files and user-provided arguments. - [PROMPT_INJECTION]: The skill implements an automated orchestration loop that exhibits an indirect prompt injection surface. The
run_codex_audit_loop.pyscript parses an AI-generated audit report to extract 'handoff blocks,' which are then directly interpolated into prompts for subsequent workers. - Ingestion points: The orchestrator reads the
AUDIT_REPORT.mdfile produced by the previous audit worker. - Boundary markers: Extracted handoff content is interpolated into new prompts without explicit delimiters or instructions to ignore nested instructions.
- Capability inventory: The worker agents have the capability to read and write files within the repository and perform git commits via the
codextool. - Sanitization: The extracted handoff content is not validated or sanitized before being included in subsequent prompts.
- [EXTERNAL_DOWNLOADS]: Orchestration templates and documentation within the skill suggest the use of
npx -y codex mcp-server, which downloads and executes the Codex MCP server from the npm registry.
Audit Metadata