codex

================================================================================

🔴 VERDICT: HIGH

This skill presents a HIGH security risk due to its reliance on an unverified external binary (codex CLI), its explicit support for full system access (--sandbox danger-full-access), and the potential for indirect prompt injection through user-supplied arguments to the codex command.

Total Findings: 4

🔴 HIGH Findings: • Unverifiable Dependency

• SKILL.md: The skill's core functionality relies entirely on the codex CLI, an external binary that is a prerequisite and cannot be audited as part of this skill analysis. The security and behavior of this external tool are unknown. • Command Execution / Privilege Escalation
• SKILL.md: The skill explicitly instructs on and allows the use of --sandbox danger-full-access for the codex exec command. This mode grants the codex CLI full system access, enabling it to execute arbitrary commands with high privileges. While the skill states it will ask for user permission, the capability for full system compromise is present. • Indirect Prompt Injection
• SKILL.md: The skill constructs codex exec commands using user input (e.g., model choice, reasoning effort, the actual prompt for codex). If this user input is not rigorously sanitized, a malicious user could inject arbitrary shell commands or codex flags, leading to arbitrary command execution or unintended behavior. The instruction "User can override model if needed" is a specific point of concern for injection.

🔵 LOW Findings: • External Download

• README.md: The installation instructions involve git clone --depth 1 git@github.com:skills-directory/skill-codex.git. This downloads code from github.com, which is a trusted external source. This finding is noted but does not elevate the overall verdict.

================================================================================