The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes the codex CLI with the --full-auto flag, which grants the secondary process the ability to write to the workspace without user confirmation.
[DATA_EXFILTRATION]: The skill reads local source code and transmits it to an external AI model for processing. While this is the intended purpose, it involves sending potentially sensitive data to a remote service.
[EXTERNAL_DOWNLOADS]: The skill relies on an external third-party binary (codex) and suggests installation through brew, introducing a dependency on software from an external source.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection by interpolating untrusted file content into a prompt for a secondary AI agent.
Ingestion points: File contents are read from the local system (e.g., utils.py) and placed into the prompt template in SKILL.md.
Boundary markers: The skill uses markdown code blocks as delimiters but depends primarily on a natural language instruction ("Do NOT modify any files...") to prevent the secondary agent from taking harmful actions.
Capability inventory: The codex tool is configured with workspace-write permissions in SKILL.md, making it capable of modifying the local environment if an injection succeeds.
Sanitization: There is no escaping or sanitization of the content being analyzed, allowing instructions within the code to potentially override instructions given to the secondary agent.

call-codex