codex-skill

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill explicitly instructs bypassing approvals and sandboxes, running the agent with full system and network access, and automating unattended code edits, commits, and pushes—behavior that deliberately enables remote code execution, supply‑chain modifications, and potential data exfiltration and credential theft even if no explicit payload is included.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly ingests user-generated GitHub content (e.g., "gh pr diff", "gh pr checks"/CI logs and PR descriptions) and pipes those PR diffs and logs into models for review and retry logic, so untrusted third-party PR/CI content can influence agent actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt explicitly instructs the agent to use flags like --dangerously-bypass-approvals-and-sandbox and -s danger-full-access (granting "full access including network and system") and runs system-level commands (installing packages, launching tmux sessions, writing logs, modifying repos), which encourages bypassing security controls and giving the agent broad system access.