oracle
Fail
Audited by Gen Agent Trust Hub on Feb 26, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script 'scripts/oracle-to-codex' invokes 'codex exec' with the argument 'approval_policy="never"'. This configuration bypasses human oversight, allowing any shell commands or code recommended by the external AI to be executed immediately on the host system.
- [DATA_EXFILTRATION]: The 'scripts/oracle-bundle' script gathers local file contents into a single stream for transmission to external LLM providers. While intended for context sharing, this process lacks robust protection against the accidental inclusion of sensitive files like private keys or environment variables if broad search patterns are employed.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it consumes content from various files to provide context to an 'Oracle' LLM. An attacker could place malicious instructions inside a project file that, when processed by the Oracle, causes it to generate a harmful command. The 'codex exec' tool would then execute this command automatically due to its 'never' approval policy. Evidence: (1) Ingestion point: 'oracle-bundle' reads files via glob patterns; (2) Boundary markers: Basic markdown code blocks; (3) Capability inventory: Full command execution via 'codex exec'; (4) Sanitization: No filtering or validation of file contents.
Recommendations
- AI detected serious security threats
Audit Metadata