The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes an external CLI tool ('codex') with excessively broad permissions. Specifically, it passes a configuration flag granting 'disk-full-write-access' and 'network-full-access' to the process. This violates the principle of least privilege, as a code review tool generally only requires read access to the relevant files.
[DATA_EXFILTRATION]: The provision of 'network-full-access' combined with the tool's access to the project's source code and diffs creates a significant risk surface for data exfiltration. An external tool or service with these permissions could transmit sensitive code or discovered vulnerabilities to an external server without user knowledge.
[PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection. It ingests untrusted data in the form of git diffs (Step 1 and Step 2) and incorporates this content into a 'focused instruction file' used to guide the Codex reviewer. Ingestion points: Git diffs from the current branch, commits, or uncommitted changes (SKILL.md Step 1). Boundary markers: None identified; the instructions do not use delimiters or explicit 'ignore' directives for embedded content. Capability inventory: The 'codex' tool is executed via Bash with full disk write and network access (SKILL.md Step 3). Sanitization: No sanitization or filtering of the diff content is performed before it is used to generate instructions.

codex-review