The Agent Skills Directory

Data Exposure & Exfiltration (LOW): The skill accesses and may clone sensitive authentication files (~/.codex/auth.json, ~/.codex/config.toml) into a local project directory (.codex-home) to facilitate subagent authentication in write-restricted environments (see dev/src/lib/exec-runner.ts). This poses a risk of credential exposure if the project directory is shared or committed.\n- Dynamic Execution (LOW): The tool manages long-running background tasks by spawning detached worker processes via node and executing external CLI binaries (codex, claude) with arguments constructed at runtime (see dev/src/commands/send.ts and dev/src/lib/backends.ts).\n- Indirect Prompt Injection (LOW): The skill's primary function involves interpolating untrusted user prompts into execution flows for subagents.\n
Ingestion points: promptBody and promptFile inputs in the start and send command workflows.\n
Boundary markers: composePrompt (in dev/src/lib/prompt.ts) prepends working directory context but lacks strict delimiters for user content.\n
Capability inventory: Subagents run with the full capabilities of the underlying CLI tools, which include file modification and command execution.\n
Sanitization: Prompts are passed to backends without sanitization or validation of the input content.

codex-subagents