codex
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill instructs the user to install global packages via
npm install -g @openai/codexandbrew install codex. While using a name implying an official OpenAI source, these are unverified external dependencies that execute at a high privilege level. - [COMMAND_EXECUTION] (HIGH): The agent's core functionality involves running code locally. The documentation references specify it can 'run code locally or in the cloud,' which constitutes a high-risk capability if controlled by malicious instructions.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8).
- Ingestion points: Processes data from local files, GitHub integrations, and Slack messages.
- Boundary markers: None mentioned in the provided specification to differentiate between instructions and untrusted data.
- Capability inventory: Possesses full read/edit/run capabilities on the host system, including 'cloud automation' and 'MCP integration.'
- Sanitization: No evidence of input sanitization or validation of the code it reads and subsequently executes.
- [REMOTE_CODE_EXECUTION] (HIGH): By combining the ability to read external content (e.g., from GitHub or URLs) with the ability to execute code locally, an attacker can achieve RCE by embedding malicious scripts in files the agent is instructed to review or run.
Recommendations
- AI detected serious security threats
Audit Metadata