The Agent Skills Directory

[COMMAND_EXECUTION]: The skill explicitly instructs the agent to execute shell commands by directly inserting raw user strings into the arguments (e.g., codex exec "<user prompt>"). This pattern allows for command injection if the user input contains shell metacharacters like semicolons, backticks, or pipes.\n- [EXTERNAL_DOWNLOADS]: The skill requires the global installation of a non-standard NPM package (@openai/codex). Relying on unverified global packages introduces a significant supply chain risk to the user's environment, especially as the package name does not align with standard official offerings.\n- [REMOTE_CODE_EXECUTION]: The CLI commands include flags for autonomous execution (--full-auto) and write access to the workspace (-s workspace-write), which allow the model to modify files and execute logic on the host system without human intervention.\n- [DATA_EXFILTRATION]: The top-level --search flag enables web search capabilities within the tool. This creates a risk where sensitive code snippets or local context provided to the tool for auditing could be transmitted to external servers.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from the filesystem (cat file.txt) and git history (git diff) and pipes it into an execution context. There are no boundary markers or sanitization steps to prevent embedded instructions in the audited code from influencing the agent's behavior.

codex-cli