codex
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION] (LOW): Category 8: Indirect Prompt Injection. The skill is designed to ingest and process untrusted data such as git diffs, plans, and source code which can contain malicious instructions intended to subvert the agent's behavior. Evidence: 1) Ingestion points: Processes external data via git diff, cat, and workspace file reads. 2) Boundary markers: Absent in the documentation examples; raw data is interpolated directly into prompts. 3) Capability inventory: Access to Bash commands including codex, git diff, and cat. 4) Sanitization: No sanitization or validation of the ingested content is performed.
- [COMMAND_EXECUTION] (LOW): The skill grants the agent the ability to execute the codex binary and the system cat command. While restricted by prefix, the Bash(cat:*) pattern allows the agent to read any file on the system accessible to the user, potentially including sensitive credentials or configuration files if the agent is tricked by a malicious prompt.
- [DATA_EXFILTRATION] (LOW): The skill is intended to send workspace data (code, architecture plans) to an external service. While this is the primary purpose, users should be aware that sensitive information passed to the codex tool is transmitted to an external LLM provider.
- [PROMPT_INJECTION] (LOW): Category 7: Metadata Poisoning. The documentation references non-existent model versions (e.g., gpt-5.2-codex), which may be misleading regarding the tool's actual capabilities or the environment's state, although this is likely a placeholder.
Audit Metadata