codex-collaborator
Pass
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: LOWPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION] (LOW): The skill is vulnerable to Indirect Prompt Injection (Category 8) as it processes untrusted data (user requirements and git diffs) without sanitization.
- Ingestion points: Stage 1 (
[用户需求描述]) and Stage 3 ([git diff 或文件列表]) in SKILL.md. - Boundary markers: No specific delimiters or boundary markers are used to isolate untrusted user data from instructions.
- Capability inventory: The
mcp__codex__codextool is used for analysis, but all calls are restricted bysandbox="read-only". - Sanitization: No input sanitization is performed.
- Mitigation: The risk is effectively mitigated by the mandatory
sandbox="read-only"constraint and specific instructions for the agent to maintain a critical and skeptical posture toward the tool's output. - [DATA_EXFILTRATION] (LOW): The skill transmits project-specific information, including requirements and code diffs, to an external Codex tool. While this is the intended purpose of a collaborator skill, it involves sending local project data to an external service. The enforcement of a read-only sandbox prevents the tool from performing unauthorized modifications to the local environment.
Audit Metadata