codex-orchestrator
Fail
Audited by Gen Agent Trust Hub on Mar 7, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The script
scripts/codex-version-check.shperforms an automaticnpm update -g @openai/codexduring every execution of thecodex-exec.shscript. This mechanism facilitates silent, unverified global modifications and code execution from the NPM registry without user interaction. - [COMMAND_EXECUTION]: The skill frequently executes external shell commands through
codex-exec.shandcodex-session.py(viasubprocess.run). It passes user-provided prompts directly to thecodexCLI, which can operate in high-privilege sandbox modes. - [EXTERNAL_DOWNLOADS]: The skill requires and maintains a global NPM package (
@openai/codex) and automatically fetches updates from the public NPM registry upon every skill invocation. - [PROMPT_INJECTION]: The skill architecture is susceptible to indirect prompt injection (Category 8). Mandatory evidence chain: (1) Ingestion: Untrusted user prompts enter the system via
codex-exec.shandcodex-session.py. (2) Boundary markers: Absent; user input is not delimited or accompanied by safety warnings. (3) Capability: Thecodextool has capabilities for file system modification and system command execution. (4) Sanitization: No validation or escaping is applied to the inputs. - [DATA_EXFILTRATION]: The
codex-exec.shscript attempts to read sensitive configuration files from other skill directories (e.g.,~/.claude/skills/exa-search/codex-agent-guide.md), which is an unauthorized cross-skill data access pattern.
Recommendations
- AI detected serious security threats
Audit Metadata