codex
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill facilitates the execution of the local
codexCLI binary using subcommands likeexec,resume,review, andapply. The instructions emphasize using non-interactive mode (exec) to ensure compatibility with the agent's environment. - [DATA_EXFILTRATION]: The skill documents the use of sandbox policies (
read-only,workspace-write) to control filesystem access. It correctly defaults toread-onlyfor analysis tasks and only recommendsworkspace-writewhen the user explicitly requests file modifications. - [PROMPT_INJECTION]: As an integration for a reasoning model, the skill is inherently a surface for indirect prompt injection if malicious instructions are present in the workspace files it analyzes. However, it incorporates human-in-the-loop safety via the
approval_policy=on-requestconfiguration. - Ingestion points: User prompts and workspace files (accessed via
@pathsyntax or the-Cworking directory flag). - Boundary markers: Encourages the use of
approval_policy=on-requestto gate tool actions, though it does not specify explicit content delimiters in the instructions. - Capability inventory: The CLI tool can modify the workspace filesystem (
workspace-write) and execute shell commands (shell_toolfeature). - Sanitization: The skill acts as a direct pass-through for instructions to the CLI tool without performing local sanitization, relying on the underlying model's guardrails and CLI sandboxing.
Audit Metadata