run-codex
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The skill utilizes a tool named
mcp__plugin_headless-knight_runCLI__codexand a configurable environment variableOPENAI_CODEX_COMMAND. This structure suggests the execution of arbitrary system commands. There is a risk of command injection if theworkDirorenvparameters are manipulated with malicious payloads. - [CREDENTIALS_UNSAFE] (MEDIUM): The documentation explicitly mentions the use of
OPENAI_API_KEY. While necessary for the intended function, passing these credentials to an unverified third-party CLI tool ('Codex CLI') creates a high risk of credential exfiltration. - [EXTERNAL_DOWNLOADS] (LOW): The skill depends on an external executable (
OPENAI_CODEX_COMMAND) that must be present in the system's PATH. This is an unverifiable dependency as the source and integrity of this executable are not defined within the skill. - [PROMPT_INJECTION] (LOW): The skill allows for a user-defined
systemPromptto be passed to an external assistant. This creates a surface for prompt injection where the external model's behavior could be manipulated to bypass its own safety constraints. - [INDIRECT PROMPT INJECTION] (LOW): The skill ingests untrusted data via the
promptparameter and possesses command-line execution capabilities. - Ingestion points: The
promptandsystemPromptparameters inSKILL.mdare the primary entry points for untrusted data. - Boundary markers: No delimiters or 'ignore' instructions are specified for the interpolated prompts.
- Capability inventory: The skill has the ability to run CLI commands and set environment variables.
- Sanitization: There is no evidence of input validation or sanitization before the data is passed to the external CLI tool.
Audit Metadata