codex-architect
Pass
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because user-controlled questions are interpolated directly into a tool's system prompt without delimiters or sanitization. Ingestion points: The
/codex-architectcommand captures user input into the${QUESTION}variable inSKILL.md. Boundary markers: Absent; the variable is placed directly into thepromptargument for themcp__codex__codextool. Capability inventory: Themcp__codex__codextool executesls,grep, andcatcommands on the local filesystem. Sanitization: Absent; the question is not escaped or validated before tool execution. - [COMMAND_EXECUTION]: The
mcp__codex__codextool is configured inSKILL.mdto run shell-like commands (ls,grep,cat) withapproval-policy: 'never'. While the tool operates in aread-onlysandbox, the lack of input sanitization means a user could potentially trick the tool into reading sensitive files (e.g.,.env,.ssh/config) if they are accessible within the agent's workspace environment.
Audit Metadata