openai-codex-cli
Warn
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user or agent to install a global NPM package
@openai/codex. This package name uses the scope of a well-known service but is not a verified official package from that organization for the described functionality, making it an unverifiable dependency from an external source. - [COMMAND_EXECUTION]: The skill describes and enables the use of a tool (
codex) that is designed to execute arbitrary shell commands. Specifically, it promotes afull-automode that allows the tool to run tests and fix code failures autonomously. This autonomous command execution on the host system presents a significant capability risk if the agent's instructions or the data it processes are compromised. - [PROMPT_INJECTION]: The skill documents the ingestion of instructions from a
codex.mdfile within a project's repository, creating an indirect prompt injection surface. - Ingestion points: Project-level
codex.mdfile and the general codebase accessed by the tool. - Boundary markers: The documentation does not provide specific delimiters or warnings to the agent to ignore instructions embedded within the processed code files.
- Capability inventory: The tool has the capability to read and write to the file system and execute shell commands via the
codexCLI. - Sanitization: While the skill mentions an optional 'sandbox' configuration to restrict network and file access, its implementation is left to the user and is not a mandatory safeguard for processing instruction files.
Audit Metadata