codex-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (HIGH): The skill constructs bash commands by directly inserting user-provided values for branch names, commit SHAs, and custom instructions. This allows an attacker to execute arbitrary system commands by including shell metacharacters like semicolons, pipes, or backticks in their input.
- [PROMPT_INJECTION] (HIGH): The skill is highly susceptible to indirect prompt injection (Category 8) while processing code for review. 1. Ingestion points: Local source code files and git history via the
codexCLI. 2. Boundary markers: None identified; the skill does not use protective delimiters. 3. Capability inventory: Execution of shell commands (bash). 4. Sanitization: None; no logic exists to filter malicious instructions embedded in code comments or strings. - [EXTERNAL_DOWNLOADS] (MEDIUM): The skill depends on the unverified
codexCLI tool and accesses a local configuration file at~/.codex/config.toml. The lack of a trusted source for this dependency introduces a supply chain risk.
Recommendations
- AI detected serious security threats
Audit Metadata