codex-dev-g

[Skill Scanner] Instruction directing agent to run/execute external content All findings: [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] [CRITICAL] command_injection: Instruction directing agent to run/execute external content (CI011) [AITech 9.1.4] This skill's stated purpose (delegating coding tasks to a Codex CLI helper) is plausible and the requested filesystem and session inputs align with that function. However, several suspicious design choices weaken trust: the documentation explicitly forbids inspecting the bundled script, defaults to broad autonomous workspace write access (--full-auto), and provides no provenance or documentation of network endpoints used by the CLI. Those factors make it possible for the script to exfiltrate repository contents or secrets, or to perform unwanted modifications, without easy detection. I classify this skill as SUSPICIOUS: it may be benign in many cases, but the black-box execution model and overly broad permissions are disproportionate and present a meaningful supply-chain risk unless the script is audited or provenance is established. LLM verification: The skill's documented purpose (delegating coding tasks to a locally bundled Codex CLI wrapper) is coherent with the capabilities described. However, operational rules that treat the local script as a non-inspectable black box, coupled with default broad write permissions and no provenance or integrity checks, create meaningful supply-chain and data-exfiltration risk. I recommend: (1) Do not run the script until its source and contents are reviewed; (2) require provenance and a signed checksum f