codex-cli
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill utilizes high-risk command flags such as '--full-auto' and '-s danger-full-access'. These features enable the AI to execute system-level operations and modify files in the workspace without mandatory manual approval.
- [EXTERNAL_DOWNLOADS]: The validation documentation references the installation of the '@openai/codex' package from the official OpenAI NPM scope. This dependency provides the core CLI capabilities for the skill.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its design for analyzing external data. Ingestion points: Untrusted data enters the agent context via file content expansion (e.g., cat src/auth.js), git diff outputs, and image inputs. Boundary markers: The skill lacks explicit delimiters or instructions to ignore embedded commands within the processed data. Capability inventory: Subprocess calls and file-write operations are available through 'workspace-write' and 'danger-full-access' sandbox modes. Sanitization: There is no evidence of input escaping or validation for content passed to the 'codex exec' command. This allows malicious instructions inside reviewed code to potentially hijack the agent's high-privilege capabilities.
Audit Metadata