codex
Warn
Audited by Gen Agent Trust Hub on Mar 1, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed around executing the
codex-wrappercommand and explicitly defines a 'fallback policy' where the agent is instructed to perform direct execution if the primary tool fails twice. This instruction could be exploited to bypass wrapper-specific constraints or safety controls. - [EXTERNAL_DOWNLOADS]: The documentation points to 'GitHub Releases' and an 'install.sh' script for installation. Since these sources are external to the skill and not from the established list of trusted organizations, they pose a risk of hosting unverified or potentially malicious code.
- [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface by allowing the AI to ingest local file content using
@fileand@.syntax. Malicious instructions embedded within a repository's source code or documentation could be processed by the Codex AI, potentially leading to unauthorized actions. - [REMOTE_CODE_EXECUTION]: By facilitating 'automated code changes' and 'refactoring' across multiple files, the skill provides a mechanism for modifying and executing code. If the task content or the processed files contain malicious logic, the skill could be used to implement unauthorized changes on the host system.
Audit Metadata