codex-review
Fail
Audited by Gen Agent Trust Hub on Mar 16, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill is vulnerable to command injection because it incorporates user-provided arguments and file contents directly into shell commands (e.g., gh pr diff and codex exec) without proper quoting or validation. An attacker could provide a malicious input such as '#123; [command]' or include shell sequences like "; [command]; " in a file to execute arbitrary code on the system.\n- [PROMPT_INJECTION]: The skill facilitates an indirect prompt injection surface (Category 8) by processing content from untrusted files.\n
- Ingestion points: Data is sourced from local files, git diff, and remote GitHub pull requests via the gh CLI.\n
- Boundary markers: Prompts include structural headers but lack specific security delimiters or instructions to ignore embedded instructions within the reviewed content.\n
- Capability inventory: The skill can execute the codex tool with full-auto permissions and perform file system cleanup operations in /tmp/.\n
- Sanitization: Content from external files is interpolated directly into prompts without any sanitization, allowing embedded instructions to potentially manipulate the behavior of the reviewer model.\n- [EXTERNAL_DOWNLOADS]: The skill retrieves pull request information and diffs from GitHub using the official gh command-line interface.
Recommendations
- AI detected serious security threats
Audit Metadata