codex-plan-review
Pass
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes a runner script using the
nodeengine to manage the debate lifecycle, including starting, polling, and stopping processes as described inreferences/workflow.md. - [EXTERNAL_DOWNLOADS]: The documentation requires a dependency hosted on GitHub (
github:lploc94/codex_skill) to be installed vianpx, which involves downloading code from the author's repository. - [REMOTE_CODE_EXECUTION]: The recommendation to use
npx github:lploc94/codex_skillfacilitates the execution of remote code directly from a GitHub repository during the setup phase. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It processes untrusted data from local plan files and user requests by interpolating them into internal prompt templates used for implementation review.
- Ingestion points: The contents of
plan.mdand theUSER_REQUESTstring are used to populate variables in the prompt templates found inreferences/prompts.md. - Boundary markers: The templates use standard Markdown headers (e.g.,
## Plan Location) to separate sections, which provides minimal protection against adversarial content within the ingested files. - Capability inventory: The skill possesses capabilities to execute system commands through the node-based runner and to modify local files when applying plan edits.
- Sanitization: There is no explicit evidence of input validation, sanitization, or escaping of the content being interpolated into the prompts.
Audit Metadata