codex-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill's SKILL.md explicitly documents a --search flag ("Enable live web search") and references/config-reference.md documents web_search="live" (and that live fetches current web data, e.g., with --yolo/full-access), indicating the agent will fetch and consume untrusted public web content that can influence its actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The config shows runtime execution of remote npm packages via commands like "npx -y @my/mcp-server" (and the admin-enforced "npx @approved/mcp-server"), which will fetch and execute remote code at runtime and thus can directly control agent behavior.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.80). The skill explicitly exposes and normalizes unsafe controls (e.g. --yolo, danger-full-access, writable directory flags, and the ability to run arbitrary commands/MCP servers via npx and edit user config files), which enable an agent to bypass protections and perform arbitrary writes or command execution on the host, so it meaningfully pushes the agent toward compromising machine state.