codex-worker
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill executes shell commands to manage
tmuxsessions andgitworktrees. Crucially, it invokes thecodexCLI with the--dangerously-bypass-approvals-and-sandboxflag. This flag removes all safety guardrails from the sub-agents. - REMOTE_CODE_EXECUTION (HIGH): Because the sub-agents run without a sandbox, any instructions they encounter in the data they process (such as a malicious GitHub issue during 'batch triage') could result in arbitrary code execution on the host system via indirect prompt injection.
- PROMPT_INJECTION (LOW): The instructions contain behavioral overrides, telling the agent to 'don't wait for the user to ask for parallelism' and to 'replace the built-in Task tool'. While not directly malicious, these instructions encourage the agent to take autonomous actions that bypass standard safety tools.
- DATA_EXPOSURE (MEDIUM): The sub-agents are granted full file system access within their respective git worktrees without the usual security boundaries, potentially exposing sensitive project data to automated processing without oversight.
Recommendations
- AI detected serious security threats
Audit Metadata