doc-review
Pass
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill processes untrusted content from Markdown files, which creates an attack surface for indirect prompt injection where malicious instructions in the document could influence the reviewer. 1. Ingestion points: Document content is read into the agent context in SKILL.md and through cat commands in references/codex-prompt-doc.md. 2. Boundary markers: Absent; there are no delimiters separating the document content from the review instructions. 3. Capability inventory: The mcp__codex__codex tool has access to Read, Grep, Glob, and Bash tools. 4. Sanitization: None; document content is processed as-is without escaping or verification.
- [COMMAND_EXECUTION]: The skill instructs the Codex tool to execute shell commands to perform project research and verify technical consistency. Evidence: references/codex-prompt-doc.md contains explicit instructions to run ls, grep, and cat commands on project directories such as src/, scripts/, and skills/. The risk is mitigated by the specified read-only sandbox configuration and never-approval policy.
Audit Metadata