codex-delegation
Pass
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill implements a delegation protocol that interpolates external data (task descriptions and source code content) into prompts for sub-agents. This creates a surface for indirect prompt injection where instructions embedded in project files or task definitions could influence the behavior of the worker agents.
- Ingestion points: Task metadata (title, do, doneWhen) and file contents are ingested into JSON context packages (SKILL.md).
- Boundary markers: The prompt templates for both Codex and Task executors lack explicit delimiters or instructions to ignore commands embedded within the provided data.
- Capability inventory: Worker agents are granted execution and file-system modification capabilities (e.g., 'workspace-write').
- Sanitization: The instructions do not define any validation or sanitization steps for content before it is interpolated into the worker prompts.
Audit Metadata