codexforclaude

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The prompt includes an explicit CLI example that embeds an API key as a command-line argument (e.g., codex mcp add myserver --env API_KEY=xxx), which encourages placing secrets directly into generated commands and can lead the LLM to output secret values verbatim.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content contains explicit, high-risk instructions that disable or bypass sandboxing and approval controls, add and run arbitrary external MCP servers (including npx-installed packages), and forward bearer tokens/environment variables—patterns that enable remote code execution, credential exfiltration, and supply‑chain abuse if misused.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly documents adding HTTP MCP servers (e.g., references/mcp-servers.md and the "Adding MCP Servers" section in SKILL.md) and enabling web_search in references/config-toml.md, which causes the agent to fetch and ingest content from remote/public third-party URLs that can influence tool selection and actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The prompt explicitly encourages enabling "danger-full-access" sandbox mode, setting approval_policy to "never", and even provides a "codex --dangerously-bypass-approvals-and-sandbox" command, which directs the agent to run with full system access and bypass safeguards—actions that can compromise the host state.