codex-agents
Fail
Audited by Gen Agent Trust Hub on Mar 3, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the
exectool with PTY support to invoke thecodexCLI, which is designed to modify the local filesystem and run shell commands. - [REMOTE_CODE_EXECUTION]: The
--yoloexecution flag provides a mode that explicitly disables the security sandbox and removes manual approval requirements for code execution and file changes, allowing an external agent to perform unverified operations. - [EXTERNAL_DOWNLOADS]: The skill instructs the user to install the
@openai/codexglobal NPM package as a prerequisite for its functionality. - [COMMAND_EXECUTION]: Encourages the use of background processes (
background:true) for long-running tasks, which permits the agent to execute system-level operations without continuous user oversight. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it processes untrusted data from project repositories.
- Ingestion points: Source code files, documentation, and pull requests within the specified
workdirare read and processed by the agent. - Boundary markers: There are no boundary markers or instructions to the agent to ignore embedded commands within the processed files.
- Capability inventory: The agent has capabilities for filesystem modification and shell command execution via the
codexCLI. - Sanitization: No sanitization or input validation is performed on the files ingested from the project directory before they are processed by the LLM.
Recommendations
- AI detected serious security threats
Audit Metadata