codex-audit
Warn
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill instructions mandate checking the host directory 'D:\Projects*' for existing code to extract and adapt. Accessing arbitrary file paths outside the skill's intended working directory creates a risk of sensitive data exposure.
- [COMMAND_EXECUTION]: The skill uses bash to execute a local script 'scripts/multi-model/codex-audit.sh' with user-provided arguments. This execution pattern depends on the security of a script not bundled within the skill definition.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted source code and task descriptions autonomously with file-system modification capabilities.
- Ingestion points: Source code and project files provided via the '--context' parameter and user-defined tasks.
- Boundary markers: Absent; the skill lacks delimiters or instructions to ignore embedded commands within the data being audited.
- Capability inventory: The skill permits 'Bash', 'Write', and 'TodoWrite', which could be abused if the agent obeys instructions found within the code it is auditing.
- Sanitization: No sanitization or validation of the input context is performed before it is processed by the autonomous audit loop.
- [PROMPT_INJECTION]: The metadata contains potentially deceptive claims regarding the use of 'GPT-5-Codex', a model that is currently unreleased, which may mislead users or other agents regarding the skill's true nature and capabilities.
Audit Metadata