The Agent Skills Directory

[PROMPT_INJECTION]: The instructions in SKILL.md attempt to override standard agent behavior.\n
The agent is explicitly directed to treat the ask_codex.sh script as a "black box" and is forbidden from inspecting the script's source code.\n
The instructions also forbid the agent from referencing or describing the skill's own configuration in its prompts to the underlying tool.\n- [COMMAND_EXECUTION]: The skill relies on the execution of an external CLI tool named codex via a bash script wrapper.\n
The ask_codex.sh script executes the codex binary using codex exec and codex exec resume commands.\n
User-provided task descriptions and file references are passed directly to this binary, which then interprets them and acts autonomously.\n- [DATA_EXFILTRATION]: The skill grants extensive access to the user's workspace to an external, non-standard tool.\n
Documentation states the tool has "full workspace access" and can "read files, explore code, and figure out implementation details on its own."\n
The script's logic for parsing JSON output indicates support for command_execution (shell commands) and write_file/patch_file operations, providing a surface for unauthorized data access and exfiltration.\n- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its handling of untrusted input.\n
Ingestion points: Untrusted data enters the context via the task argument and the contents of files specified with the --file flag in ask_codex.sh.\n
Boundary markers: The script does not implement boundary markers or instructions to ignore embedded commands when passing data to the codex tool.\n
Capability inventory: The skill allows for arbitrary shell command execution and file system modifications across the entire workspace via the codex agent.\n
Sanitization: No sanitization or validation is performed on the input task text or the content of processed files before they are sent to the execution environment.

codex