codex-upcoming-features

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). Yes — the skill explicitly clones and syncs public GitHub repositories (SKILL.md steps 3–4; scripts/summarize_upcoming.py functions like ensure_local_repo, sync_local_repo, run_gh_json, and get_pr) and reads/parses repository source files, PRs, and commit messages from the open web (untrusted, user-generated content) which are then interpreted to classify and decide which features/commits to include in the report.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill clones and syncs a remote GitHub repo at runtime (via "https://github.com//.git", defaulting to https://github.com/openai/codex.git) and then mines those fetched source files as the primary data that directly drives the agent's output, so the remote content can directly control what the agent emits.