The Agent Skills Directory

[COMMAND_EXECUTION]: The skill relies extensively on the codex exec command to perform its tasks. These commands include flags such as --sandbox workspace-write and --full-auto, which allow the tool to modify the local filesystem without manual intervention.
[REMOTE_CODE_EXECUTION]: The codex exec utility sends instructions and code snippets to a remote model (e.g., GPT-5.4) for processing. The results are then executed or applied back to the local environment, creating a remote-to-local execution loop.
[PROMPT_INJECTION]: Multiple templates (e.g., in SKILL.md and references/refactoring-task.md) interpolate unvalidated user input directly into the instruction strings passed to the Codex CLI. For example, the Implementation Planning template uses variables like {feature} and {relevant architecture/code} which could be used to inject malicious instructions into the subagent's context.
[INDIRECT_PROMPT_INJECTION]: The skill exhibits a high vulnerability surface for indirect prompt injection:
Ingestion points: Processes untrusted data from git diffs, error messages, and existing source code files (e.g., {git diff output}, {error message}, {current_code}).
Boundary markers: No explicit boundary markers or 'ignore' instructions are used to separate untrusted data from the system instructions in the command templates.
Capability inventory: The system can write to the workspace (workspace-write) and execute complex refactoring tasks.
Sanitization: No sanitization or escaping of the interpolated variables is evident in the configuration files.
[EXTERNAL_DOWNLOADS]: The troubleshooting.md file suggests installing an external package @openai/codex via NPM. While OpenAI is a well-known entity, this specific package name is non-standard for their public offerings.

codex-system