codex
Warn
Audited by Gen Agent Trust Hub on Apr 28, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructions describe constructing shell commands by interpolating user-provided text directly into strings:
echo "your prompt here" | codex exec .... Because double quotes in many shell environments allow for variable expansion and command substitution, an attacker could provide a prompt containing$(command)or backticks to execute arbitrary code on the host system. - [COMMAND_EXECUTION]: The skill enables high-privilege execution modes through the
--sandbox danger-full-accessand--full-autoflags. While the skill correctly mandates obtaining user permission viaAskUserQuestionbefore using these flags, they significantly expand the attack surface if the agent is manipulated into executing a malicious prompt. - [PROMPT_INJECTION]: The skill processes untrusted user input and includes it in the context of a shell command execution. The mandatory evidence chain for indirect injection is as follows:
- Ingestion points: User-provided prompts for code analysis or editing (captured in the "your prompt here" placeholder).
- Boundary markers: The instructions suggest using double quotes, which are insufficient to prevent shell injection in most environments.
- Capability inventory: Full shell access to run the
codexCLI with various sandbox levels, including broad network and system access. - Sanitization: There is no explicit instruction to escape or sanitize shell metacharacters before execution.
Audit Metadata