openspec-parallel-agents
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8) because it ingests and executes content from local prompt files. * Ingestion points: Reads files from $CODEX_HOME/prompts and ~/.codex/prompts (e.g., opsx-.md) as identified in SKILL.md. * Boundary markers: No markers or delimiters are defined to isolate the content of these files from the agent's main instructions. * Capability inventory: The agent can execute commands with side effects, including /opsx:apply (writing files), /opsx:new, and /opsx:archive. * Sanitization: No sanitization or safety checks are performed on the ingested file content before it is used to drive the workflow.
- EXTERNAL_DOWNLOADS (MEDIUM): The README.md instructions point to an untrusted third-party repository (github.com/rexleimo/rex-skills) for installation, which is not included in the Trusted Organizations or Repositories list.
- COMMAND_EXECUTION (LOW): The skill is designed to orchestrate multiple system-level CLI commands. While this is the intended purpose, it provides the execution vector for instructions ingested through the indirect injection surface.
Recommendations
- AI detected serious security threats
Audit Metadata