Skills
skills/yelban/orz99-skills/codex-review/Gen Agent Trust Hub

codex-review

Pass

Audited by Gen Agent Trust Hub on Mar 6, 2026

Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted content and interpolates it into AI prompts without sanitization or robust delimiters.\n
  • Ingestion points: Step 0 and Step 1 in SKILL.md read user-provided file paths, git diff output, and GitHub PR content.\n
  • Boundary markers: The templates in references/prompt-templates.md lack explicit boundary markers or instructions to ignore embedded instructions within the {{REVIEW_TARGET}} and {{SOURCE_CODE}} placeholders.\n
  • Capability inventory: The skill can execute subprocesses (git, gh, codex), read local files, and write to the /tmp directory.\n
  • Sanitization: No sanitization or escaping of the ingested content is performed before interpolation.\n- [COMMAND_EXECUTION]: The skill uses shell command substitution $(cat /tmp/codex-review-input-${ID}.md) to pass file contents as arguments to the codex tool. This pattern can lead to issues if the content is large enough to exceed shell argument limits (ARG_MAX) or contains characters that could be misinterpreted as command-line flags by the receiving tool.
Audit Metadata
Risk Level
SAFE
Analyzed
Mar 6, 2026, 12:38 PM