with-codex
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill executes shell scripts and CLI tools by interpolating user or external prompts directly into command strings (e.g., in the 'send' and 'exec' commands). This creates a severe command injection vulnerability if the input contains shell metacharacters such as semicolons, pipes, or backticks.
- PROMPT_INJECTION (HIGH): The skill is highly vulnerable to Indirect Prompt Injection (Category 8) because it captures up to 200 lines of output from the Codex CLI and provides it to the agent for synthesis without sanitization. (1) Ingestion point: output captured via 'codex-manager.sh capture'. (2) Boundary markers: None identified. (3) Capability inventory: Full shell access through the manager script and Codex CLI. (4) Sanitization: No filtering or escaping of the ingested content is performed. If the external tool processes malicious code and generates instructions, the primary agent may execute them.
- COMMAND_EXECUTION (MEDIUM): The skill depends on external scripts located at '~/.claude/skills/with-codex/scripts/' which are not included in the package for security review, representing an unverified dependency risk.
Recommendations
- AI detected serious security threats
Audit Metadata