Skills
skills/krishamaze/skills/codex-mcp/Gen Agent Trust Hub

codex-mcp

Warn

Audited by Gen Agent Trust Hub on Apr 14, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
  • [COMMAND_EXECUTION]: The codex_run tool includes a context_cmd argument that is executed on the host system using child_process.execSync, enabling arbitrary shell command execution.
  • [COMMAND_EXECUTION]: The MCP server implementation automatically approves file modifications and permission requests from the sub-process, bypassing typical security confirmation prompts.
  • [PROMPT_INJECTION]: The skill instructions utilize <HARD-GATE> markers and 'Iron Law' directives to forcefully mandate that the agent override its default behavior and act only as a controller.
  • [DATA_EXFILTRATION]: The server script reads the user's global configuration file at ~/.codex/config.toml to extract model settings, exposing local configuration data.
  • [COMMAND_EXECUTION]: The server script employs a basic deny-list for dangerous commands that is easily bypassed, while defaulting to accept for all other command execution requests and running the sub-process in 'danger-full-access' mode.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 14, 2026, 02:11 PM