codex-issue-waves

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). This orchestration skill contains no direct exfiltration payloads or obfuscated backdoor code, but it explicitly requires running an autonomous agent with flags that bypass approvals and sandboxing and performs unsandboxed background execution, force-pushes, and automated GitHub merges — a deliberate, high-risk capability that could enable remote code execution, credential misuse, and supply-chain or exfiltration abuse if the agent or prompts are compromised.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). This skill fetches GitHub issue bodies (user-generated content) via commands like gh issue view <N> --json ... (references/common-commands.md) and explicitly inlines the full issue body into the codex implementer/reviewer prompts (SKILL.md and references/prompt-template.md), so untrusted third-party text is read and acted on by the agent and could inject instructions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly fetches GitHub issue bodies at runtime (via gh issue view <N> — e.g. the GitHub Issues API endpoint https://api.github.com/repos///issues/) and inlines that content into the codex dispatch/reviewer prompts, so remote issue text can directly control agent instructions.