The Agent Skills Directory

COMMAND_EXECUTION (HIGH): In Phase 3, the skill executes a bash command using the pattern "$(cat /tmp/codex_iteration_N_prompt.txt)". Since the content of this file includes user-provided problem descriptions and approaches, an attacker can inject shell metacharacters (such as backticks, semicolons, or pipe symbols) into the input to execute arbitrary commands on the underlying system. \n- DATA_EXFILTRATION (MEDIUM): The skill stores sensitive session data, including codebase paths, data structures, and potential architectural plans, in the /tmp/ directory. These files are often world-readable in multi-user environments, leading to potential exposure of intellectual property and internal codebase metadata. \n- PROMPT_INJECTION (LOW): The skill is susceptible to indirect prompt injection where instructions embedded in the analyzed codebase could manipulate the Codex CLI's output. While Phase 4.5 provides a manual verification framework as a mitigation, the attack surface remains open due to the skill's ingestion of untrusted external code.

codex-iterative-solver