The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is highly vulnerable to shell command injection due to the way it constructs and executes CLI commands.
User-supplied input ($ARGUMENTS) and prompts are directly interpolated into shell command strings (e.g., echo "prompt" | codex exec ...).
There are no instructions for the agent to sanitize, escape, or validate these inputs before execution, allowing an attacker to execute arbitrary shell commands by including sequences like ;, &&, or backticks in their request.
[DATA_EXFILTRATION]: The skill explicitly supports and facilitates the use of the --sandbox danger-full-access flag.
According to the skill's own documentation, this mode permits network access and out-of-workspace writes.
When combined with the command injection vulnerabilities and the ability to read local configuration files (e.g., model-registry.md), this provides a clear pathway for harvesting and exfiltrating sensitive system data.
[PROMPT_INJECTION]: The skill exhibits a high-risk surface for indirect prompt injection (Category 8).
Ingestion points: The skill ingests untrusted data in the form of code diffs and review prompts intended for the Codex engine.
Boundary markers: The instructions lack any requirement for boundary markers (like XML tags or triple-backticks) to separate instructions from the data being analyzed.
Capability inventory: The skill possesses the ability to execute shell commands, write to the filesystem (via workspace-write), and access the network (via danger-full-access).
Sanitization: There is no evidence of sanitization or filtering for the external content before it is processed or passed to the execution engine.
[PRIVILEGE_ESCALATION]: The skill encourages the bypass of standard safety checks.
It mandates the use of --skip-git-repo-check, which can force the tool to operate in sensitive system directories it was not intended for.
It promotes the use of --full-auto, which reduces user oversight for side-effecting operations like file writes.

codex