work
Fail
Audited by Gen Agent Trust Hub on Mar 2, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill configuration in SKILL.md and references/codex-engine.md includes bypass_guards for high-risk operations such as rm_rf and git_push. This constitutes an explicit attempt to override the host environment's safety filters.\n- [COMMAND_EXECUTION]: The skill automatically executes local shell scripts, including ./tests/validate-plugin.sh and ./scripts/ci/check-consistency.sh, as part of its verification process without prior validation of script content.\n- [COMMAND_EXECUTION]: The references/codex-engine.md describes the use of a CLI tool 'codex' to execute code generated by an AI model. This creates a vector for executing arbitrary logic derived from external input.\n- [PROMPT_INJECTION]: The skill has a significant indirect prompt injection surface through the ingestion of untrusted data from Plans.md.
- Ingestion points: Task titles and descriptions in Plans.md are used to construct execution prompts.
- Boundary markers: No delimiters or ignore instructions are present to separate system instructions from task data.
- Capability inventory: The skill utilizes Bash, Task for background execution, and file modification tools.
- Sanitization: No input validation or sanitization of the Plans.md content is performed before processing.
Recommendations
- AI detected serious security threats
Audit Metadata