codex
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
- [Command Execution] (HIGH): The skill instructions (SKILL.md) direct the agent to construct shell commands using raw user input, such as 'echo "your prompt here" | codex exec...'. This pattern is highly susceptible to command injection via shell metacharacters (e.g., $(...),
..., or ;) if the input is not strictly sanitized by the calling environment. - [Privilege Escalation] (MEDIUM): The skill documentation promotes the use of high-risk flags including '--sandbox danger-full-access' and '--skip-git-repo-check', which intentionally bypass the security boundaries and integrity checks of the underlying Codex tool.
- [Metadata Poisoning] (MEDIUM): The skill body and metadata make authoritative and detailed claims about using 'GPT-5.2' and 'GPT-5.1', models that do not exist at the time of this analysis. This deceptive information can mislead users into trusting the skill's capabilities and safety.
- [Indirect Prompt Injection] (LOW): The skill is designed to ingest and summarize the output of repository-wide analysis. Maliciously crafted files within a repository could contain instructions designed to influence the agent's summary or subsequent actions.
- Ingestion points: Local file analysis via 'codex exec'.
- Boundary markers: No markers or 'ignore' instructions are used when passing prompts to the CLI.
- Capability inventory: Execution of the 'codex' CLI with full system/workspace access flags.
- Sanitization: No evidence of input escaping or sanitization before shell interpolation.
Recommendations
- AI detected serious security threats
Audit Metadata