consult-codex
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: CRITICALREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- Remote Code Execution (CRITICAL): The skill executes an unverified binary named 'codex' using interactive shells ('zsh -i' or 'bash -i'). This bypasses standard execution controls and allows for arbitrary code execution.
- Data Exposure & Exfiltration (HIGH): The skill provides specific 'jq' commands to read internal agent task outputs in '/private/tmp/claude/', which allows the agent to expose its own internal processing logs and potentially sensitive metadata from other tasks.
- Prompt Injection (HIGH): The workflow interpolates raw user input ('[USER_QUESTION]') directly into tool calls without sanitization or boundary markers. Ingestion point: Workflow Step 1. Boundary markers: None. Capability inventory: Shell execution (bash/zsh), file write, file read (jq). Sanitization: None.
- Command Execution (HIGH): Uses interactive shells and complex 'jq' processing of system files, which are patterns often used to obfuscate malicious activity or bypass security sandboxes.
- Metadata Poisoning (MEDIUM): The skill description references 'GPT-5.3', a version that does not exist, indicating deceptive intent or significant misinformation regarding the skill's capabilities.
Recommendations
- AI detected serious security threats
Audit Metadata