codex-iterative-fix
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill is designed to run
./scripts/multi-model/codex-yolo.shandbash -lc "codex --full-auto exec ...". These commands provide a direct path for executing arbitrary shell commands based on LLM-generated fixes. - Evidence: Found in README.md and SKILL.md invocation patterns.
- [REMOTE_CODE_EXECUTION] (HIGH): The 'full-auto' and 'yolo' modes allow the AI to generate code, apply it to the file system, and execute it via the test runner (e.g.,
npm test) iteratively. This creates a feedback loop where untrusted code generated by a model is executed automatically. - Ingestion point: Skill processes codebase errors and test failures.
- Capability: Bash, Write, and Edit permissions allows system-level impact.
- [DATA_EXPOSURE] (MEDIUM): The 'Library-First Protocol' mandates scanning
D:\Projects\*for code reuse. This is an overly broad file access pattern that could expose sensitive information or intellectual property from unrelated projects on the host machine. - Evidence: SKILL.md, Library-First Protocol, Step 3.
- [INDIRECT_PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to indirect injection. If a malicious user places instructions inside a failing test file or a source code comment, the iterative loop may 'obey' those instructions while attempting to 'fix' the errors.
- Ingestion points: Test output logs, source code files.
- Boundary markers: None identified in the prompt templates.
- Sanitization: No evidence of output sanitization before execution.
Recommendations
- AI detected serious security threats
Audit Metadata