The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes the codex exec command in a shell environment during Step 5. This command utilizes a prompt that is dynamically constructed from user-supplied arguments and local file data.
[REMOTE_CODE_EXECUTION]: The use of the --full-auto flag with the codex exec tool indicates that the system may automatically run code or commands generated by the AI model. This presents a significant risk because the prompt sent to the model is influenced by external, untrusted data (user input and file contents), potentially allowing for the execution of arbitrary commands if the model is successfully injected.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it interpolates user-provided arguments and full source file contents into the Codex prompt without adequate boundary markers or sanitization. This allows an attacker to embed malicious instructions within the project files that could hijack the automation process.
[DATA_EXFILTRATION]: The prompt crafting logic in Step 4 instructs the model to read entire files into its context. This means that sensitive information, such as configuration details or internal secrets present in the targeted files, will be sent to the remote LLM service provider as part of the normal operation of the skill.

codex-plan