codex-cli
Fail
Audited by Gen Agent Trust Hub on Mar 12, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill promotes the use of the
--sandbox danger-full-accessflag, which explicitly grants the execution environment broad system and network permissions, bypassing standard isolation. - [COMMAND_EXECUTION]: The instruction to pipe user prompts via
echointo the CLI (echo "prompt" | codex exec resume --last) creates a critical shell injection vulnerability if the agent fails to perform exhaustive escaping of user-provided content. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). 1) Ingestion points: User-provided instructions collected via
AskUserQuestion(SKILL.md); 2) Boundary markers: No delimiters or ignore instructions are defined for the piped input; 3) Capability inventory: Thecodexcommand executes with extensive system permissions; 4) Sanitization: No sanitization or validation of the input prompt is mandated. - [SAFE]: The skill references hallucinated model names such as
gpt-5.1andgpt-5.1-codex, which is misleading metadata but does not represent a direct technical exploit.
Recommendations
- AI detected serious security threats
Audit Metadata