Skills
skills/trancong12102/agentskills/oracle/Gen Agent Trust Hub

oracle

Warn

Audited by Gen Agent Trust Hub on May 1, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [PROMPT_INJECTION]: The SKILL.md workflow contains a directive that explicitly instructs the agent not to read the source code of the skill's scripts ("Do not read script source code. Run scripts directly"). This is a concealment technique designed to prevent the AI agent from auditing the logic of the scripts it is about to execute, which can hide malicious behavior.
  • [DATA_EXFILTRATION]: The script scripts/codex-oracle.py includes a --context-file parameter that allows the agent to read any file on the local filesystem. The contents of these files are then interpolated into a prompt and sent to the remote Codex service. If the agent is manipulated into reading sensitive files (e.g., .env, .ssh/id_rsa), this functionality serves as a direct data exfiltration vector.
  • [COMMAND_EXECUTION]: The skill executes the codex CLI using subprocess.run with high-autonomy configuration flags (approval_policy="never"). This bypasses any internal confirmation prompts or safety checks that might otherwise be presented by the analysis tool, delegating significant control to the remote model with reduced oversight.
  • [REMOTE_CODE_EXECUTION]: The primary function of the skill is to execute logic and analysis on a remote server via the codex exec command. This represents a risk of remote code execution if the remote service or the CLI tool itself is compromised or used to process malicious inputs.
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of a global npm package (@openai/codex) which is not a standard official OpenAI tool. This dependency introduces a supply chain risk as the agent is instructed to install and use code from an external repository that may not be vetted.
  • [DATA_EXFILTRATION]: Indirect Prompt Injection Surface (Category 8):
  • Ingestion points: The skill ingests untrusted data through the --question and --context-file arguments in scripts/codex-oracle.py.
  • Boundary markers: The prompt uses XML-style tags (<question>, <context>) to separate user data from instructions, though these provide only minimal protection against malicious inputs.
  • Capability inventory: The skill has full read access to the filesystem and the ability to execute external CLI commands.
  • Sanitization: No sanitization or validation is performed on the user-provided question or file contents before they are transmitted to the external API.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 1, 2026, 02:21 PM