run-codex
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill recommends installing the npm package
@openai/codex. This is not an official OpenAI distribution, posing a risk of executing malicious code via typosquatting or untrusted software. - [COMMAND_EXECUTION]: The skill executes local bash scripts and an external CLI. The referenced CLI documentation indicates support for high-risk operations like
--full-autofor workspace modifications, which contradicts the read-only claim. - [PROMPT_INJECTION]: Vulnerable to indirect prompt injection. 1. Ingestion points: File contents and git diffs are read and included in the prompt context in
SKILL.md. 2. Boundary markers: The prompt construction lacks clear delimiters or instructions to ignore embedded commands. 3. Capability inventory: The skill can execute shell scripts and CLI commands throughscripts/run-codex-exec.sh. 4. Sanitization: External data is interpolated into the prompt without any sanitization or escaping. - [COMMAND_EXECUTION]: Recommends global package installations (
npm install -g) which often encourage users to use elevated privileges (sudo), increasing the potential impact of installing the unverified dependency.
Audit Metadata