codex-collab
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [Command Execution] (MEDIUM): The MCP tool interface includes a
cd(Path) parameter and adanger-full-accesssandbox mode. This provides a mechanism for the agent to access arbitrary file system paths or execute commands with elevated privileges if the prompt-based constraints (which currently mandateread-only) are bypassed. - [Indirect Prompt Injection] (LOW): The skill is designed to ingest and act upon data from an external 'Codex' agent, creating a vulnerability surface where malicious instructions could be embedded in the code prototypes or analysis.
- Ingestion points: Data enters the system via the
agent_messagesandall_messagesreturn values from the Codex tool. - Boundary markers: Absent. The skill provides no specific delimiters or instructions to the primary agent to ignore instructions embedded within the Codex response.
- Capability inventory: The primary agent is authorized to perform '具体编程修改' (concrete programming modifications) and rewrite code into '企业生产级代码' (enterprise-grade code) based on the ingested content.
- Sanitization: Absent. There is no evidence of filtering or validation for the content returned by the external tool before it influences local file modifications.
Audit Metadata