codex-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly enables Codex web search (SKILL.md: "Web Search" / ~/.codex/config.toml with web_search_request = true) and documents adding external MCP HTTP servers (clawdbot-integration.md: "codex mcp add ... --url "), which means the agent will fetch and act on arbitrary public web/HTTP content that could contain untrusted, user-generated instructions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly grants and encourages full filesystem and command-execution privileges (exec/process/write, --full-auto, "Full Access" including network, add-dir, MCP server modes), and shows examples that auto-approve workspace writes and run arbitrary commands, which enables an agent to modify machine state and perform potentially dangerous actions.