codex-review
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to indirect prompt injection via untrusted data ingestion. Ingestion points: The skill reads a plan file (e.g., plan.md) and performs research on the entire codebase. Boundary markers: The prompt provided to the Codex tool lacks delimiters or instructions to ignore embedded commands within the files. Capability inventory: The primary agent is instructed to 'Address immediately without asking' any issues categorized as 'Critical', which creates an automated file-write loop. Sanitization: No sanitization of untrusted file content is performed.
- [COMMAND_EXECUTION] (MEDIUM): The skill executes the 'codex' binary. While it uses a '--sandbox read-only' flag for the subprocess, the primary agent's 'auto-fix' policy for 'Critical issues' allows the results of this execution to trigger automated, unverified modifications to the local filesystem, effectively bypassing the sandbox's intent.
Recommendations
- AI detected serious security threats
Audit Metadata