The Agent Skills Directory

[COMMAND_EXECUTION]: The skill provides instructions in references/workflows.md and SKILL.md that guide the agent to construct shell commands by inserting user input directly into command strings, such as wsl bash -c 'codex exec "[user question]"'. This is a classic command injection pattern where an attacker could provide a prompt containing shell metacharacters like backticks, semicolons, or quotes to execute arbitrary commands on the host system.\n- [PROMPT_INJECTION]: The skill implements an indirect prompt injection surface. It captures output from the external Codex tool using tmux capture-pane and presents it to the agent without sanitization or protective boundary markers. Evidence: Ingestion point is cmd_capture in scripts/codex-manager.sh; Boundary markers are absent; Capability inventory includes shell command execution and file access; Sanitization is absent. If the external tool generates malicious instructions, the agent might mistakenly follow them.\n- [DATA_EXFILTRATION]: The skill's primary function is to send user prompts to an external CLI tool. This pattern facilitates the transmission of user data and project context to a third-party service without per-request validation, which could be exploited to exfiltrate sensitive information if the agent is manipulated.\n- [EXTERNAL_DOWNLOADS]: The skill references and utilizes the @openai/codex package from OpenAI's official NPM scope.\n- [COMMAND_EXECUTION]: The scripts/codex-manager.sh script uses a predictable temporary file path (/tmp/codex-pane-id) to store session information, which is a poor security practice that can be susceptible to symlink attacks in multi-user environments.

with-codex