request-review
Warn
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script loads environment variables by calling source on a .env file located within the skill directory. This pattern allows for arbitrary shell command execution if the skill's environment file is maliciously modified.
- [DATA_EXFILTRATION]: The review process runs inside a Docker container that mounts the host's ~/.codex directory with read-write permissions. This directory typically contains sensitive tool configurations and credentials, making them vulnerable to access or modification by the containerized process.
- [EXTERNAL_DOWNLOADS]: The script uses Docker images that can be overridden via environment variables, which could result in the execution of unverified or malicious containers if the configuration is manipulated.
- [COMMAND_EXECUTION]: The skill performs multiple command-line operations, including git push, GitHub CLI interactions, and execution of a shared builder script at ~/.codex/scripts/build-codex-agent-image.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from GitHub PR comments. Ingestion points: scripts/request-review (GitHub API). Boundary markers: Absent. Capability inventory: scripts/request-review (includes docker run, git push, and source). Sanitization: Uses jq for structured parsing but does not sanitize the contents of PR comments before display or storage.
Audit Metadata