codex

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). SKILL.md explicitly documents a "Web Search" feature (e.g., the codex --search command and config option web_search = "live" plus features.web_search_request = true), which allows the agent to perform live searches of the open web and ingest untrusted third-party content as part of a run, and those results can materially influence decisions and follow‑up actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill includes explicit runtime hooks that fetch and run external content — e.g., an MCP HTTP server URL (url = "https://api.example.com/mcp") which would stream model context into the agent at runtime, and an example MCP command using npx (args = ["-y","@my/tool-server"]) which downloads and executes remote code — so external URLs/packages can directly control prompts or run code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt documents and encourages use of flags and modes that grant writable/dangerous full-access, bypass approvals (e.g. --yolo, --danger-full-access, inline !command, apply local diffs, add writable roots), which enable the agent to modify system files or bypass security controls and thus can compromise the machine state.