codex-orchestrator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly enables live web retrieval of arbitrary public content via the --web-search / --search options (which cause codex-exec.sh to set web_search="live" and inject Exa guidance into AGENTS.md), so the Codex subagents can fetch and interpret open web pages as part of normal workflow (see SKILL.md/README examples and scripts/codex-exec.sh handling of --web-search/--search), creating a clear avenue for indirect prompt injection from untrusted web sources.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). codex-exec.sh invokes codex-version-check.sh --auto-update which runs "npm view @openai/codex" and may run "npm update -g @openai/codex" (pulling code from the npm registry, e.g. https://registry.npmjs.org/@openai/codex), so at runtime the skill fetches and installs remote code that the skill depends on and which can change/execute the agent CLI behavior.