Skills
skills/giuseppe-trisciuoglio/developer-kit-claude-code/codex/Gen Agent Trust Hub

codex

Fail

Audited by Gen Agent Trust Hub on Apr 1, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the Bash tool to execute the codex CLI, facilitating shell command execution on the local host.
  • [REMOTE_CODE_EXECUTION]: The codex exec and codex review commands establish a workflow where code is generated by remote AI models and executed locally.
  • [COMMAND_EXECUTION]: The reference material explicitly details the -s danger-full-access flag, which removes all security sandboxing for filesystem and network operations.
  • [COMMAND_EXECUTION]: The skill provides an approval policy setting (-a never) that allows the AI tool to execute generated commands without user confirmation.
  • [PROMPT_INJECTION]: The skill creates an indirect injection surface by interpolating user-provided task requests into English prompts for the codex tool. Untrusted input is ingested in SKILL.md (Step 2), placed within double-quote boundaries in a shell command (codex exec "<english-prompt>"), and processed by a tool with subprocess and file-write capabilities (as seen in the capability inventory), with no documented sanitization or escaping logic.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 1, 2026, 07:09 AM