The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/codex_review.py executes the codex CLI using subprocess.run with the --full-auto flag enabled. This configuration allows the tool to automatically run commands or scripts suggested by the model, which presents a significant security risk if the model's output is manipulated by malicious input.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted markdown plans and prior context logs directly into LLM prompts without sanitization or robust boundary markers.
Ingestion points: The plan_content and prior_context variables in scripts/codex_review.py are populated from local files provided as arguments.
Boundary markers: Absent; external content is appended after simple text headers like '===== PLAN TO REVIEW ====='.
Capability inventory: The skill can execute shell commands via the subagent and the codex CLI, and it has write access to the workspace directory.
Sanitization: None; external file content is interpolated verbatim into the prompt strings.
[REMOTE_CODE_EXECUTION]: The combination of processing untrusted external data (markdown plans) and the use of a CLI tool with automatic execution capabilities (codex exec --full-auto) creates a potential path for remote code execution if a malicious plan successfully injects instructions that the model then generates as executable output.
[EXTERNAL_DOWNLOADS]: The skill instructions recommend the global installation of the @openai/codex NPM package. While this is an official package from a well-known provider, users should verify its integrity before granting it global execution privileges on their system.

codex-plan-reviewer