Skills
skills/tobihagemann/turbo/consult-codex/Gen Agent Trust Hub

consult-codex

Warn

Audited by Gen Agent Trust Hub on Apr 18, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill uses the bash tool to run the codex CLI for multi-turn AI consultations.
  • [COMMAND_EXECUTION]: It explicitly instructs the agent to set dangerouslyDisableSandbox: true during tool calls, which bypasses the default execution environment's security boundaries to allow network communication.
  • [DATA_EXFILTRATION]: The skill facilitates the collection and transmission of project files (2-5 workspace files) to an external service (OpenAI API) for analysis.
  • [REMOTE_CODE_EXECUTION]: The skill supports the -s workspace-write flag, which grants the external AI model the capability to execute code or perform write operations directly within the project's workspace.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests contents from the workspace as context for the external AI model.
  • [PROMPT_INJECTION]: Mandatory Evidence Chain:
  • Ingestion points: Reads up to five files from the user's workspace to provide context (SKILL.md, Step 1).
  • Boundary markers: Suggests using XML tags like <task> and <grounding_rules> to structure the prompt, which provides minimal isolation.
  • Capability inventory: Uses bash to execute codex with potential workspace modification rights.
  • Sanitization: No sanitization or validation of the ingested file content is performed before it is processed by the AI.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Apr 18, 2026, 11:00 PM