codex-review-cc
Fail
Audited by Gen Agent Trust Hub on Mar 8, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill constructs shell commands such as
codex exec --full-auto "{user_objective}"where the objective is taken from user input. This lacks sanitization, allowing for shell command injection via metacharacters (e.g., backticks or command substitution) within the user's objective or concern. - [DATA_EXFILTRATION]: The skill's primary function is to upload local repository content to OpenAI's Codex service for analysis. This results in the exposure of potentially sensitive source code and intellectual property to an external third-party service.
- [EXTERNAL_DOWNLOADS]: The skill relies on a non-standard CLI tool named
codex. This tool is not provided by a recognized trusted vendor and its origin cannot be verified, representing an unvetted external dependency. - [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by interpolating unvalidated user input and codebase content into prompts sent to the secondary AI model, which could be exploited to manipulate the analysis results or the agent's subsequent actions.
Recommendations
- AI detected serious security threats
Audit Metadata