codex
Pass
Audited by Gen Agent Trust Hub on Apr 27, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it interpolates untrusted data from external sources, such as GitHub issue descriptions and PR content, directly into the commands executed by the autonomous coding agent.
- Ingestion points: Untrusted content enters the agent's context through issue descriptions in
codex execcommands and repository content fetched viagit cloneorgh pr checkoutinSKILL.mdexamples. - Boundary markers: No delimiters or instructions are provided to the agent to ignore or isolate potentially malicious instructions embedded within these external data sources.
- Capability inventory: The skill utilizes the
terminaltool to execute arbitrary shell commands and leverages thecodexagent which has the capability to modify the file system and build software. - Sanitization: There is no evidence of sanitization or validation of the external content before it is processed by the coding agent.
- [COMMAND_EXECUTION]: The skill promotes the use of high-risk execution flags for the Codex CLI, specifically the
--yoloflag, which is described as having 'no sandbox' and 'no approvals'. This configuration significantly amplifies the impact of a successful indirect prompt injection attack, as the agent may modify the system without user oversight or security constraints. - [COMMAND_EXECUTION]: The skill requires the installation of a global NPM package
@openai/codexand uses theterminaltool to execute various shell commands for project management and coding tasks.
Audit Metadata