codex-review
Pass
Audited by Gen Agent Trust Hub on Apr 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill provides templates for executing shell commands with variable parameters such as branch names (
--base <BRANCH>), commit identifiers (--commit <SHA>), and custom investigation topics (codex exec "[specific concern]"). If the agent populates these placeholders with unsanitized user input or strings extracted from untrusted data (like PR titles), it could lead to command injection vulnerabilities. - [PROMPT_INJECTION]: The skill is susceptible to Indirect Prompt Injection because it processes untrusted project data (code diffs) using an LLM-based tool without proper isolation.
- Ingestion points: Source code diffs and file contents are ingested via
git diffand passed to thecodexbinary as described inSKILL.mdandreferences/prompts.md. - Boundary markers: Absent; the recommended command patterns and prompt templates do not include delimiters or instructions for the model to ignore instructions embedded within the code being analyzed.
- Capability inventory: The
codexCLI tool performs complex analysis and can influence the agent's logic based on its generated output. - Sanitization: Absent; there is no evidence of filtering or escaping the content of the code diffs before they are processed by the tool.
Audit Metadata