codex-cli-review
Fail
Audited by Gen Agent Trust Hub on Mar 9, 2026
Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/review.shconstructs a command string by concatenating user-provided arguments (--base,--title) and executes it usingeval. This allows for arbitrary command execution if an attacker provides inputs containing shell metacharacters such as semicolons, backticks, or pipes. - [DATA_EXFILTRATION]: The skill explicitly configures the Codex CLI with
disk-full-read-access. This grants the tool permission to read any file within the environment, potentially exposing sensitive files like.env, SSH keys, or configuration secrets to the processing engine. - [EXTERNAL_DOWNLOADS]: The script suggests installing the
@openai/codexpackage from the npm registry, which is an established and well-known service for this tool's functionality. - [PROMPT_INJECTION]: The skill provides a surface for indirect prompt injection as it processes the entire contents of a git repository (ingestion point: project files) without using boundary markers or sanitization. This could allow malicious instructions embedded in the codebase to influence the agent's behavior, although the script lacks direct capability to execute code based on those instructions beyond the initial command injection vulnerability.
Recommendations
- AI detected serious security threats
Audit Metadata