codex-pr-review

SUSPICIOUS: The review workflow is broadly aligned with the stated PR-review purpose, and use of the official Codex CLI is plausible. However, the required installation of `codex-review` via unpinned `npx github:lploc94/codex_skill` from a personal repo creates a transitive trust and supply-chain risk inconsistent with a high-trust review helper. Because that third-party skill pack likely mediates prompts and runner behavior while the user is authenticated to Codex and exposing local repo content, the overall risk is medium-high even without direct evidence of exfiltration or overtly malicious behavior.