codex-review
Fail
Audited by Gen Agent Trust Hub on Feb 22, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONNO_CODEPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The setup guide in 'references/codex-mcp-setup.md' directs users to install '@openai/codex' via npm or 'openai-codex' via Homebrew. These are not official OpenAI packages, posing a high risk of typosquatting or supply-chain attacks.
- COMMAND_EXECUTION (HIGH): The skill utilizes the 'Bash' tool to execute an external 'codex' CLI. It employs background execution ('&') and 'wait' commands, which can manage complex process lifecycles that could hide malicious activity.
- REMOTE_CODE_EXECUTION (HIGH): The skill executes code via the 'codex exec' command with inputs from local files. If the binary is malicious or inputs are manipulated, this results in arbitrary code execution.
- NO_CODE (LOW): The skill's 'PreToolCall' hook references a script 'check-codex.sh' which is not provided for verification.
- PROMPT_INJECTION (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8). It reads plan contents, requirements, and file data into variables and interpolates them directly into prompts for the external CLI without sanitization. Ingestion points: 'references/experts/*.md'; Capability inventory: Bash, Read, Write, and Edit.
Recommendations
- AI detected serious security threats
Audit Metadata