The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/codex-review.py executes the codex CLI tool using subprocess.run, incorporating user-supplied parameters such as branch names and commit identifiers directly into the command arguments. While the script does not utilize a shell environment, it relies entirely on the third-party CLI tool to safely handle these inputs without triggering unexpected behavior.
[EXTERNAL_DOWNLOADS]: The skill instructions require the manual global installation of the @openai/codex package via NPM. This introduces a dependency on external code that is not part of the standard environment and whose integrity is not verified by the skill.
[PROMPT_INJECTION]: The skill contains directives instructing the agent to 'Do not read script source code' and to 'Run scripts directly'. These instructions discourage the agent from performing safety checks or verifying the behavior of the included scripts, which notably use non-existent model identifiers like 'gpt-5.5'.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests untrusted data in the form of code diffs and passes them to multiple AI reviewers. Maliciously crafted content within the code comments or the code itself could attempt to manipulate the reviewers' findings or influence the final synthesis of the report. \n
Ingestion points: Git diff data (staged, unstaged, branch comparisons, and specific commits) enters the agent context through the Codex CLI and sub-agents. \n
Boundary markers: The skill provides no explicit markers or instructions to isolate or ignore instructions embedded within the processed diff content. \n
Capability inventory: The skill has the capability to execute local Python scripts and spawn background agents with autonomous tasks. \n
Sanitization: There is no evidence of sanitization or validation of the diff content before it is processed by the AI models.

council-review