Skills
skills/zkl2333/skills/codex-cli/Gen Agent Trust Hub

codex-cli

Fail

Audited by Gen Agent Trust Hub on Mar 9, 2026

Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill exposes the full functionality of the codex CLI, which is designed to execute arbitrary shell commands based on natural language. The availability of the --yolo flag and the danger-full-access sandbox mode explicitly allows for the execution of commands without any user approval or filesystem restrictions, posing a significant risk of system compromise.
  • [REMOTE_CODE_EXECUTION]: The skill supports 'Cloud tasks' via codex cloud exec, which executes instructions in remote environments. Furthermore, the MCP server configuration enables the execution of arbitrary external scripts and commands (e.g., via npx) to initialize tools.
  • [DATA_EXFILTRATION]: The configuration reference (references/config-reference.md) details an OpenTelemetry (otel) feature that can be configured to export logs and traces to external HTTP or gRPC endpoints. If enabled, this mechanism could be used to exfiltrate sensitive user prompts, environment details, or command outputs.
  • [CREDENTIALS_UNSAFE]: The config.toml structure allows for the storage of sensitive information, such as API_KEY for MCP servers and custom model providers, in plain text. This increases the risk of credential theft if the configuration file is accessed by unauthorized processes or included in backups.
  • [EXTERNAL_DOWNLOADS]: The skill encourages the use of npx within the MCP server configuration to dynamically download and run packages from the npm registry. This pattern executes unverified remote code at runtime, which is a common vector for supply chain attacks.
  • [PROMPT_INJECTION]: The skill presents a large attack surface for indirect prompt injection. * Ingestion points: The agent reads local files (codebase), git diffs, and performs live web searches. * Boundary markers: While it uses sandboxing and approval policies, these are not robust against adversarial content designed to manipulate the LLM's logic. * Capability inventory: The agent has extensive capabilities including shell execution (codex exec), file manipulation, and network access across all scripts. * Sanitization: No explicit sanitization or filtering of external data is mentioned, allowing malicious instructions in processed data to influence the agent's behavior.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 9, 2026, 08:28 PM