codex-sandbox
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is designed to process untrusted or risky code by interpolating it directly into shell commands (e.g.,
codex ... "Your task"). This creates a high-risk surface for Indirect Prompt Injection, where malicious code could use shell escapes like backticks or semicolons to execute commands on the host system instead of the sandbox. - [COMMAND_EXECUTION] (HIGH): The skill instructs the agent to execute host-level shell commands using an external script
scripts/multi-model/codex-yolo.sh. The reliance on an unprovided script with a 'yolo' (You Only Live Once) naming convention suggests a lack of safety controls and poses a risk of arbitrary command execution. - [DATA_EXFILTRATION] (MEDIUM): The skill mandates searching the absolute path
D:\Projects\*. This exposes the host system's directory structure and can lead to unauthorized access or exposure of sensitive project data. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill refers to an external
codexCLI and local shell scripts that are not part of the distributed skill package, making their security behavior unverifiable.
Recommendations
- AI detected serious security threats
Audit Metadata