The Agent Skills Directory

[COMMAND_EXECUTION]: The skill relies on executing shell commands, specifically 'codex exec' and 'git', to perform its functions. It dynamically constructs prompts for the 'codex' tool using heredoc syntax. While the instructions emphasize a read-only constraint, the execution of external CLI tools with variable input is a primary capability of the skill.
[INDIRECT_PROMPT_INJECTION]: The skill is designed to ingest and process untrusted data from the local repository, which poses a risk of indirect prompt injection.
Ingestion points: The skill reads file paths, directory structures, git diffs, and the contents of implementation plans from the local environment (documented in SKILL.md workflow steps).
Boundary markers: The skill lacks explicit boundary markers or delimiters (such as XML tags or specific tokens) to isolate untrusted file content from the instructions sent to the Codex model.
Capability inventory: The skill uses 'codex exec' for analysis and 'git' for context gathering. It manages a multi-round iterative loop where findings from an external source directly influence the agent's logic and future implementation contracts.
Sanitization: No sanitization, escaping, or validation logic is present to filter malicious instructions embedded within the source code or plans being reviewed.
[PROMPT_INJECTION]: The skill contains internal orchestration instructions using keywords like 'CRITICAL' and 'IMPORTANT' to define the relationship and hierarchy between 'Claude Code' and the 'Codex' sub-agent. These are logic-steering instructions for the agent's workflow rather than attempts to bypass base safety guidelines.

codex-review