Codex Bridge
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes the
codexCLI binary using a bash wrapper script (scripts/codex-exec.sh). The script follows security best practices by using bash arrays for command execution to prevent shell injection and validating that output file paths reside within the/tmpdirectory. - [EXTERNAL_DOWNLOADS]: Documentation within the skill suggests installing the
@openai/codexpackage from the NPM registry. This package originates from a well-known and trusted service provider. - [PROMPT_INJECTION]: The skill is designed to take user-provided text and pass it as an instruction to an external AI model via the Codex CLI. This architecture creates a surface for indirect prompt injection.
- Ingestion points: User requests are captured via the
SKILL.mdrouting logic and passed toscripts/codex-exec.shas thePROMPTvariable. - Boundary markers: The prompt construction does not employ delimiters or explicit instructions to ignore embedded commands within the user input.
- Capability inventory: The underlying
codextool has capabilities to read files and, if explicitly requested by the user, perform write operations in the workspace. - Sanitization: The skill does not perform sanitization or filtering of the user input before passing it to the external tool.
Audit Metadata