codex-architect
Pass
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill interpolates untrusted data from both user input and project files into a high-privilege sub-prompt for the
mcp__codex__codextool without using protective delimiters or boundary markers. - Ingestion points: The user-provided
${QUESTION}and the results of shell commands (likecatandgrep) are directly embedded into the prompt template inSKILL.md. - Boundary markers: Absent. Data is placed directly under headers like
## Questionwithout escaping or XML-style tags to distinguish data from instructions. - Capability inventory: The agent utilizes
ls,grep, andcatfor file system access and can invoke themcp__codex__codexandmcp__codex__codex-replytools. - Sanitization: No sanitization, validation, or instruction-following guardrails are applied to the external content before it is processed by the sub-agent.
- [COMMAND_EXECUTION]: The skill's instructions explicitly direct the agent to execute shell-like commands to perform repository reconnaissance, which could be exploited if the agent is misled by malicious file content.
- Evidence: The prompt template in
SKILL.mdmandates the use ofls src/,grep -r, andcat <relevant files>to research the project. While intended for context gathering, this provides the agent with broad visibility into the local file system and source code, which can be misused if an attacker successfully injects commands into the file system or user question variables.
Audit Metadata