codex-agent

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The content contains no immediate hidden malware, but it mandates sending project code to an external Codex service (risk of data exfiltration), documents storing/using API keys, exposes configuration that can grant full filesystem access and auto-approval, and includes a wrapper script that uses eval which can allow command-injection—together these create a high-risk capability for accidental or intentional data exfiltration, remote code execution, or system compromise if misused or if the Codex CLI/credentials are compromised.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's docs explicitly enable external web search (advanced.md: "search = true") and show adding remote MCP servers via HTTP (advanced.md: "codex mcp add remote-server --url https://mcp.example.com/api"), while the workflow has Claude read Codex's output files (e.g., /tmp/codex-review.md), meaning the agent can ingest untrusted, user-generated third‑party content fetched by Codex.