The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/run_batch.py executes git and codex CLI tools using subprocess.run and subprocess.Popen. All calls utilize list-based arguments and avoid shell execution (shell=True), which is a best practice to prevent command injection.
[COMMAND_EXECUTION]: Input identifiers such as run_id and task_id are validated against a restrictive regex pattern (^[A-Za-z0-9._-]+$) and checked for directory traversal markers (. or ..), ensuring they cannot be used to manipulate file paths.
[COMMAND_EXECUTION]: The skill implements strict path validation in _resolve_task_cwd using os.path.realpath and os.path.commonpath to ensure all task operations are confined within the repository root.
[PROMPT_INJECTION]: The skill processes user-supplied task descriptions (ingestion point: manifest.json) and passes them to the Codex subagent via a pipe. While it does not implement explicit boundary markers in the stdin stream, it mitigates risk through capability isolation (file writes limited to the .context/ directory) and the use of the subagent's sandbox configuration (e.g., read-only or workspace-write) to enforce execution boundaries.

codex-subagent