The Agent Skills Directory

[COMMAND_EXECUTION]: The skill utilizes the Bash tool to execute a CLI tool named codex. It documents and provides examples for high-risk flags: -s danger-full-access, which removes all security restrictions, and -a never, which allows command execution without user confirmation. This facilitates full system compromise if the agent is manipulated into using these settings.
[REMOTE_CODE_EXECUTION]: The skill's primary function is to fetch and execute commands or code generated by remote AI models (e.g., GPT-5.3-codex) via the codex exec command. This allows code from an external, untrusted source to be executed on the local machine with the agent's permissions.
[PROMPT_INJECTION]: The skill's workflow for generating prompts for the Codex CLI involves interpolating untrusted data from local project files. This creates a surface for indirect prompt injection where an attacker could place malicious instructions in a file that the agent reads and sends to the CLI. 1) Ingestion points: project files and code snippets; 2) Boundary markers: Absent in prompt construction; 3) Capability inventory: codex exec (bash execution) and Write tools; 4) Sanitization: Present as rules (e.g., treating output as untrusted), but contradicted by the documented ability to bypass approval.
[PROMPT_INJECTION]: The documentation references non-existent or future-dated AI models (GPT-5.3-codex, o3, o4-mini), which is misleading regarding the tool's provenance and may lead to unexpected behavior or misjudgment of the tool's safety properties.

codex