oracle-codex
Pass
Audited by Gen Agent Trust Hub on Apr 23, 2026
Risk Level: SAFECOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes the
codexCLI and internal helper scripts (check-codex.sh,run-codex-exec.sh) to interface with OpenAI's models for analysis and review tasks. This execution is performed with restricted sandbox settings (read-only) and validated model parameters.\n- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection by interpolating untrusted data (file contents, git diffs) into the context for the Codex CLI. However, the impact is significantly mitigated by the skill's read-only enforcement and its intended use as a consultative oracle rather than a direct implementation tool.\n - Ingestion points: File contents, user queries, and repository diffs are read and included in the prompt construction in
SKILL.md.\n - Boundary markers: The workflow does not explicitly define unique delimiters or instructions to ignore embedded commands within the processed files.\n
- Capability inventory: The skill executes analysis via the
codex execcommand using thescripts/run-codex-exec.shwrapper.\n - Sanitization: No explicit sanitization or filtering of interpolated context is performed; however, the use of a quoted HEREDOC (
<<'EOF') in the execution command prevents the prompt content from escaping into the local shell environment.
Audit Metadata