codex
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill takes arbitrary user input from
$ARGUMENTSand embeds it directly into a prompt template for the Codex sub-agent. - Ingestion points: The
{task description from arguments}variable is interpolated into the<task>block inSKILL.md. - Boundary markers: While XML-like tags (
<task>,<constraints>) are used, there is no escaping mechanism. An attacker can use</task>to break out of the intended block and inject malicious instructions. - Sanitization: No sanitization, filtering, or validation is performed on the user-provided task description before it is passed to the sub-agent.
- COMMAND_EXECUTION (HIGH): The skill executes the
codexCLI with expansive permissions that can be manipulated by the user. - Capability inventory: The sub-agent is explicitly granted
workspace-writeby default and can be elevated todanger-full-accessvia the--sandboxflag. It also has access to tools likeBash,Grep, andGlob. - Impact: An injected prompt can leverage these capabilities to delete files, exfiltrate code, or execute arbitrary shell commands on the host system via the sub-agent's
Bashtool. - DATA_EXFILTRATION (MEDIUM): The sub-agent is granted full codebase access by design.
- Evidence: The skill documentation states 'Codex has full codebase access'.
- Risk: Without proper boundaries or oversight, a subverted sub-agent could be instructed to read sensitive files (e.g.,
.env,.ssh/config) and output their contents into the streaming logs or summary files.
Recommendations
- AI detected serious security threats
Audit Metadata