codex
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- COMMAND_EXECUTION (HIGH): The skill provides access to the
--yoloflag. As documented inSKILL.mdandreferences/exec-reference.md, this mode offers 'No restrictions', 'No sandbox', and 'Full system access'. In non-interactive mode, this allows an LLM to execute arbitrary commands and modify files on the host system without any human-in-the-loop verification. - CREDENTIALS_UNSAFE (MEDIUM): The documentation in
SKILL.mdandreferences/exec-reference.mdencourages the use ofCODEX_API_KEY=sk-...to authenticate. While this is a standard CLI pattern, in the context of an AI agent, it increases the risk of the key being logged, exposed in process trees, or leaked if the environment is captured. - DATA_EXPOSURE (LOW): The tool is designed to read from any file path provided in a prompt (e.g.,
~/.codex/config.toml,~/.aws/credentials). When combined with the--yoloor--full-autoflags, it has the capability to read and potentially exfiltrate sensitive configuration files. - INDIRECT_PROMPT_INJECTION (LOW): The skill is intended to process external codebases and PR diffs. It lacks explicit boundary markers or sanitization instructions for the data it ingests, making it a surface for indirect prompt injection where malicious comments in a codebase could influence the agent's execution of
codex execcommands.
Recommendations
- AI detected serious security threats
Audit Metadata