codex
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (MEDIUM): The skill constructs and executes shell commands using the 'codex' CLI. It explicitly encourages the use of high-risk flags such as '--sandbox danger-full-access' and '--full-auto', which grant the tool extensive permissions over the local environment.
- COMMAND_EXECUTION (MEDIUM): The instructions mandate appending '2>/dev/null' to commands by default. This suppresses the stderr stream, which is the standard channel for security warnings and error messages, effectively hiding the tool's behavior and potential warnings from both the agent and the user.
- EXTERNAL_DOWNLOADS (LOW): The installation instructions direct the user to clone code from an untrusted third-party GitHub repository ('skills-directory/skill-codex').
- PROMPT_INJECTION (LOW): The skill processes untrusted repository data through a CLI with write access. It lacks sanitization or boundary markers to prevent indirect instructions within analyzed files from influencing agent actions. (Evidence: 1. Ingestion: 'codex exec' on repository paths; 2. Boundary: Absent; 3. Capability: 'workspace-write' and 'danger-full-access' flags; 4. Sanitization: Absent).
Audit Metadata