codex

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill instructs assembling and previewing shell commands that embed the full user-provided "" (e.g., via -p "" or echo "prompt" | codex ...), so any API keys or secrets in that context would be included verbatim in commands and outputs, creating an exfiltration risk.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The codex-agent explicitly lists the WebFetch tool as "required for documentation lookup during research mode" (codex-agent.md tools/safety controls), which means the agent can fetch and consume open/public third‑party documentation/web pages and thus read untrusted external content as part of its workflow.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 0.70). The skill explicitly encourages running the codex CLI with sandbox modes that allow workspace writes and "danger-full-access" (and --full-auto), and mandates bypassing repo checks (--skip-git-repo-check), which enables automatic and broad modifications to the host environment even though it doesn't explicitly request sudo or creation of system accounts.