collaborating-with-codex
Warn
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The bridge script (
scripts/codex_bridge.py) usessubprocess.Popento invoke the externalcodexCLI tool. It constructs command-line arguments directly from user-supplied input and configuration flags. - [REMOTE_CODE_EXECUTION]: The skill is designed to delegate task execution to an external agent (Codex) which can perform code execution and file modifications in the local environment. It includes explicit support for dangerous flags such as
--bypass-sandboxand--bypass-hook-trustwhich are used to skip internal security approvals and sandboxing. - [EXTERNAL_DOWNLOADS]: The skill exposes the Codex CLI's
--searchcapability, which enables the agent to perform live web searches and retrieve information from external sources during its execution. - [PROMPT_INJECTION]: The skill's primary function is to forward instructions to a delegated agent, creating a surface for indirect prompt injection where malicious content in processed files or data could influence the delegated agent's actions.
- Ingestion points: Prompt input via CLI arguments or files in
scripts/codex_bridge.py. - Boundary markers: No delimiters or safety instructions are added to the prompt before delegation.
- Capability inventory: The delegated agent has the capability to execute shell commands and perform file system operations, with authority levels ranging up to full access.
- Sanitization: No validation or filtering is performed on the prompt text before it is passed to the Codex CLI.
Audit Metadata