codex-cli

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill documentation exposes multiple high-risk abuse patterns — automatic OAuth token sync, unrestricted/auto-approve execution flags (--full-auto, --yolo, danger-full-access), agent/subagent configs that grant exec/process/write privileges, and MCP/remote endpoints — which together enable credential harvesting, remote code execution and data exfiltration if misused or maliciously configured.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill documentation (SKILL.md and clawdbot-integration.md) explicitly enables Codex web search (web_search_request = true and the --search flag) and adding HTTP MCP servers (e.g., codex mcp add ... --url https://mcp.deepwiki.com/mcp), so the agent can fetch and act on arbitrary public web/MCP content that could carry indirect prompt-injection instructions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.90). The skill explicitly grants and encourages full filesystem and command-execution privileges (exec/process/write, --full-auto, "Full Access" including network, add-dir, MCP server modes), and shows examples that auto-approve workspace writes and run arbitrary commands, which enables an agent to modify machine state and perform potentially dangerous actions.