The Agent Skills Directory

COMMAND_EXECUTION (HIGH): The skill promotes the use of the --full-auto and --yolo flags, as well as the danger-full-access sandbox mode. These configurations explicitly disable security approvals and sandboxing, allowing the CLI tool to execute arbitrary commands and modify any file on the host system without user intervention.
EXTERNAL_DOWNLOADS (HIGH): The skill instructs the user to run npm i -g @openai/codex. This package name appears to be impersonating OpenAI, as no such official CLI tool currently exists with that name, and the referenced model versions (GPT-5, GPT-5.2) are fictional. Installing unverified global packages provides them with high-level persistence and execution capabilities.
CREDENTIALS_UNSAFE (MEDIUM): The documentation encourages users to pipe their OPENAI_API_KEY directly into the CLI tool (printenv OPENAI_API_KEY | codex login --with-api-key). This pattern can lead to credential exposure in shell history or process logs.
REMOTE_CODE_EXECUTION (HIGH): Through the Pattern 5: MCP Server Mode, the skill allows the CLI tool to act as a Model Context Protocol server. This enables remote execution of tools and commands defined by the unverified CLI package.
INDIRECT_PROMPT_INJECTION (LOW): The skill creates a large attack surface for indirect prompt injection. 1. Ingestion points: Processes entire codebases, PR diffs, and images provided via --cd, --add-dir, and --image flags in SKILL.md and clawdbot-integration.md. 2. Boundary markers: Absent. 3. Capability inventory: Full filesystem read/write (read, write, edit, apply_patch) and command execution (exec, process) across all integration files. 4. Sanitization: Absent.

codex-cli