codex-cli
Warn
Audited by Gen Agent Trust Hub on Mar 29, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is centered around executing the
codexCLI tool. It specifically encourages the use of the--full-autoflag, which bypasses step-by-step approval, and mentions the-s danger-full-accesssandbox mode. This combination allows an external process to perform potentially destructive operations on the host system without user oversight. - [DATA_EXFILTRATION]: The
codex cloud execcommand enables the submission of local code tasks to a remote cloud service for processing. This represents a data exfiltration vector where sensitive project information or source code could be transmitted to infrastructure not explicitly trusted in the provided context. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8).
- Ingestion points: The agent is instructed to read output from the external Codex tool using commands like
cat /tmp/codex-out.mdor by parsing JSON streams. - Boundary markers: The instructions do not define boundary markers or 'ignore' instructions for the data ingested from the external tool.
- Capability inventory: The skill has access to subprocess execution via the
codex execcommand, which can modify the file system and run shell tasks. - Sanitization: There is no evidence of sanitization or validation of the content returned by the external AI before the agent processes or acts upon it.
- [COMMAND_EXECUTION]: The skill provides patterns for piping complex user-provided prompts directly into shell commands (e.g.,
cat <<'PROMPT' | codex exec -), which could lead to command injection if input is not properly handled by the underlying shell environment.
Audit Metadata