codex-review
Pass
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses shell commands to run the codex review tool, incorporating user-provided prompts directly into the command line. This interpolation poses a risk of command injection if the input contains shell-active characters like backticks or subshell markers, which may be evaluated despite being wrapped in double quotes.
- [EXTERNAL_DOWNLOADS]: The instructions direct the user to install the @openai/codex package from npm and reference the OpenAI GitHub repository. These are recognized sources associated with the tool's intended purpose.
- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection as it processes untrusted code diffs. Content within these diffs could be crafted to influence the AI's analysis, potentially leading the agent to overlook issues or suggest malicious code modifications.
- Ingestion points: Code diffs retrieved via git diff and processed through the codex review CLI (SKILL.md).
- Boundary markers: No specific boundary markers or instructions are provided to the agent to treat diff content as untrusted data.
- Capability inventory: The skill can execute shell commands, read repository data, and write files (e.g., .codex-review-output.md).
- Sanitization: No sanitization of the input diffs or the resulting CLI output is performed before interpretation.
Audit Metadata