The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill executes local shell scripts (check-codex.sh) and the external codex CLI using the agent's Bash tool. This allows for arbitrary command execution if the environment or the tool is compromised. Evidence: SKILL.md lines 19 and 63.\n- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill depends on an external tool (codex CLI) which is not a standard system utility. The source and integrity of this tool are not verified within the skill itself, posing a supply chain risk.\n- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8). 1. Ingestion: Untrusted codebase files and user requests are ingested at Step 3. 2. Boundary markers: No delimiters or 'ignore-instructions' are used to separate data from instructions. 3. Capability inventory: The agent has shell access and can write files to ~/.claude/plans/. 4. Sanitization: Absent. Malicious code in the analyzed repository could hijack the Codex prompt to influence the resulting plan or command output.\n- [DATA_EXFILTRATION] (MEDIUM): The skill reads local codebase files and transmits them to an external API (OpenAI) via the codex CLI. While functional, this represents exposure of potentially sensitive source code to a third-party service.\n- [METADATA_POISONING] (MEDIUM): The skill references a non-existent model gpt-5.2-codex and a profile quiet that suppresses notification hooks, which may be intended to mislead the user about the model's capabilities or the skill's operations.

oracle-codex