codex-review
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS] (HIGH): The skill directs users to install from 'BenedictKing/codex-review' via npx. This is an untrusted third-party source not on the whitelist of approved organizations, creating a supply-chain risk.
- [REMOTE_CODE_EXECUTION] (HIGH): Installing and running code from an unverified personal repository allows for the execution of arbitrary scripts on the user's system.
- [PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to Category 8 (Indirect Prompt Injection) because its primary purpose is to ingest untrusted data (external source code).
- Ingestion points: Processes source code files which may contain malicious instructions in comments or string literals.
- Boundary markers: None mentioned in documentation to prevent the AI from obeying instructions embedded in the code being reviewed.
- Capability inventory: Includes file reading (code) and file writing (CHANGELOG.md generation), which allows an attacker to control the contents of local files via malicious code comments.
- Sanitization: No evidence of sanitization for the untrusted code content before it is processed by the AI.
- [DATA_EXFILTRATION] (MEDIUM): The 'integrated with Codex AI' claim indicates that the skill sends code content to an external service. Without explicit disclosure of what is sent or if sensitive secrets are redacted, this constitutes a risk of data exposure.
Recommendations
- AI detected serious security threats
Audit Metadata