codex
Warn
Audited by Gen Agent Trust Hub on Mar 22, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes the codex CLI tool to perform code analysis and automated editing. It also executes standard Go development tools such as go test and go build.- [DATA_EXFILTRATION]: The skill provides a --profile full option that enables network or broad filesystem access via the danger-full-access flag. This capability allows the underlying worker to access sensitive data across the filesystem or transmit data over the network.- [PROMPT_INJECTION]: The skill processes natural language instructions to modify source code, creating a surface for indirect prompt injection. The documentation acknowledges that the execution can result in destructive side effects, such as deleting files or removing test functions, which could be triggered by adversarial input within the analyzed codebase or the prompt.
- Ingestion points: The skill accepts a prompt argument for the codex exec command, which is used to guide the worker's actions on the workspace.
- Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used to separate the system prompt from the data.
- Capability inventory: The skill possesses the ability to write to the workspace (--profile edit), access the network (--profile full), and execute build commands.
- Sanitization: No sanitization of the input prompt is performed; users are advised to manually verify changes using git diff after completion.- [COMMAND_EXECUTION]: Commands are configured to redirect stderr to /dev/null, which hides error messages and could mask suspicious execution failures or warnings from the user.
Audit Metadata