The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to execute the codex CLI using high-privilege sandbox levels including danger-full-access and workspace-write for system operations and file modification.
[COMMAND_EXECUTION]: Recommends the use of the --full-auto flag to allow the tool to perform autonomous file edits without requiring user confirmation prompts.
[COMMAND_EXECUTION]: Directs the agent to set dangerouslyDisableSandbox: true for tool calls to bypass platform-level security restrictions and allow network communication.
[DATA_EXFILTRATION]: The tool is designed to send local context and file content to the external OpenAI API, which represents an exfiltration path for sensitive local data if not carefully managed.
[PROMPT_INJECTION]: The documentation defines an indirect injection attack surface by demonstrating how to pipe untrusted context (e.g., context.txt) into an autonomous execution engine with broad system capabilities.
[PROMPT_INJECTION]: Mandatory Evidence Chain:
Ingestion points: File content via cat context.txt | codex exec and task description arguments.
Boundary markers: Suggests the use of XML tags (e.g., , <grounding_rules>) for structure, but these are not enforced as security boundaries.
Capability inventory: The codex tool possesses capabilities for file writing, package installation, system operations, network access, and spawning parallel sub-agents.
Sanitization: No sanitization, validation, or escaping of the external context input is mentioned or implemented.

codex-exec