The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's 'Full' variant in SKILL.md executes {LINT_FIX_COMMAND} and {BUILD_COMMAND}. These placeholders are dynamically resolved from the host project's CLAUDE.md or package.json, allowing an untrusted project to specify commands that the agent will execute.
[REMOTE_CODE_EXECUTION]: The skill is granted Bash(yarn:*) and Bash(npm:*) permissions in SKILL.md. These tools can be used to trigger arbitrary code execution through package manager scripts (e.g., preinstall, postinstall, or custom scripts) defined in a malicious repository's configuration.
[DATA_EXFILTRATION]: In references/codex-research-instructions.md, the 'Security Review' variant explicitly directs the agent to search for sensitive information including auth, token, session, password, secret, and key. This data, along with project source code, is transmitted to the mcp__codex__codex tool.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). It interpolates un-sanitized content from git diff, file reads (cat), and commit history directly into the LLM prompts.
[PROMPT_INJECTION]: Mandatory Evidence Chain (Category 8):
Ingestion points: Raw content enters the prompt via git diff, cat of changed files, and git log output across SKILL.md and all prompt files in references/.
Boundary markers: The prompts attempt to use markdown code blocks (e.g., diff ... ) as delimiters, which can be bypassed by malicious content containing closing delimiters.
Capability inventory: The skill possesses Bash (git, yarn, npm), Read, Grep, and Glob tools for file system interaction, plus the mcp__codex__codex tool for external processing.
Sanitization: There is no evidence of sanitization, escaping, or validation of the repository data before it is interpolated into the prompts for the Codex tool.

codex-code-review