The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses a bash command template codex exec ... "{PROMPT} ..." which interpolates user input directly into a shell execution context. An attacker can provide a prompt containing shell metacharacters (such as "; malicious_command #) to break out of the intended command and execute arbitrary code on the host system.
[DATA_EXFILTRATION]: Due to the command injection vulnerability in the shell interpolation, an attacker could execute commands to read sensitive environment variables, configuration files, or local data and transmit them to an external server.
[PROMPT_INJECTION]: The skill explicitly mandates spawning subagents to explore codebases in parallel, creating an indirect prompt injection surface where malicious instructions found in analyzed files could be executed by the reasoning subagents.
Ingestion points: The codex tool reads and processes the local codebase as its primary input (SKILL.md).
Boundary markers: There are no delimiters or instructions provided to help the agent distinguish between the user's analysis request and potentially malicious instructions within the files being analyzed.
Capability inventory: The skill uses the codex CLI to perform high-reasoning tasks and spawns multiple subagents that explore different aspects of the system (SKILL.md).
Sanitization: No sanitization, escaping, or filtering of the codebase content is performed before it is passed to the reasoning models.

codex-analysis