Skills
skills/majiayu000/claude-arsenal/codex-agent/Gen Agent Trust Hub

codex-agent

Fail

Audited by Gen Agent Trust Hub on Feb 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION] (HIGH): The script scripts/codex-wrapper.sh is vulnerable to shell command injection. It constructs a command string by interpolating the $TASK variable and then executes it using eval. Since the task description is provided by the AI agent based on user prompts, a malicious prompt can inject arbitrary shell commands (e.g., using ;, &, or backticks) that will be executed on the host system.
  • Evidence: scripts/codex-wrapper.sh lines 105-108: CMD="$CMD \"$TASK\"" followed by eval $CMD.
  • [EXTERNAL_DOWNLOADS] (HIGH): The skill mandates the installation of @openai/codex via npm install -g. This package is not an official OpenAI release and appears to be an unverified third-party tool. Requiring users to install global npm packages from unverified sources poses a significant supply chain risk, as the package could contain malicious code or be a victim of typosquatting.
  • Evidence: README.md and SKILL.md Prerequisites sections.
  • [REMOTE_CODE_EXECUTION] (MEDIUM): The skill's documentation in advanced.md encourages adding remote Model Context Protocol (MCP) servers via arbitrary URLs. This allows the agent to dynamically integrate and execute tool definitions from untrusted network locations, potentially leading to remote code execution if the remote server is compromised or malicious.
  • Evidence: advanced.md section 'Add MCP Server (HTTP)'.
  • [PROMPT_INJECTION] (LOW): The SKILL.md uses authoritative language ('MANDATORY', 'MUST') to override default agent behavior. While intended for workflow enforcement, this pattern can be used to bypass an agent's standard operational constraints.
  • [DATA_EXFILTRATION] (LOW): The skill documentation highlights the use of CODEX_API_KEY and codex login, which involves handling sensitive credentials. While common for CLI tools, the lack of explicit credential safety guidance increases the risk of accidental exposure.
  • [INDIRECT_PROMPT_INJECTION] (LOW): The skill is inherently vulnerable to indirect prompt injection because it processes output from an external tool (codex) and uses it to perform file edits via the Edit tool without sanitization.
  • Evidence Chain:
    1. Ingestion points: /tmp/codex-review.md (read in SKILL.md Step 2).
    2. Boundary markers: None; the agent is instructed to read the raw file content.
    3. Capability inventory: Bash, Write, Edit (listed in SKILL.md YAML).
    4. Sanitization: None; instructions mandate: 'Apply the fix using Edit tool' based directly on the parsed external feedback.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Feb 17, 2026, 06:10 PM