codex
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The instructions in SKILL.md direct the agent to construct shell commands by piping user prompts into the codex binary (e.g., echo [prompt] | codex ...). This pattern is highly susceptible to shell command injection if the agent fails to properly escape shell metacharacters in the user's input, potentially allowing the execution of arbitrary commands on the host system.
- [METADATA_POISONING] (MEDIUM): The skill documentation contains significant deceptive claims, referencing non-existent models such as 'GPT-5.2' and 'GPT-5.2-max' along with unverifiable performance benchmarks (76.3% SWE-bench). This metadata is designed to mislead the agent into overestimating the tool's capabilities or following specific high-privilege operational paths.
- [INDIRECT_PROMPT_INJECTION] (LOW): The skill creates a surface for indirect prompt injection by processing external repository data without specified sanitization or boundary markers. Evidence Chain: 1. Ingestion points: Repository files analyzed via 'codex exec'. 2. Boundary markers: Absent; 3. Capability inventory: Shell command execution and file writing permissions ('workspace-write'); 4. Sanitization: None specified in the instructions.
Audit Metadata