collaborating-with-codex

Warn

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The bridge script (scripts/codex_bridge.py) uses subprocess.Popen to invoke the external codex CLI tool. It constructs command-line arguments directly from user-supplied input and configuration flags.
  • [REMOTE_CODE_EXECUTION]: The skill is designed to delegate task execution to an external agent (Codex) which can perform code execution and file modifications in the local environment. It includes explicit support for dangerous flags such as --bypass-sandbox and --bypass-hook-trust which are used to skip internal security approvals and sandboxing.
  • [EXTERNAL_DOWNLOADS]: The skill exposes the Codex CLI's --search capability, which enables the agent to perform live web searches and retrieve information from external sources during its execution.
  • [PROMPT_INJECTION]: The skill's primary function is to forward instructions to a delegated agent, creating a surface for indirect prompt injection where malicious content in processed files or data could influence the delegated agent's actions.
  • Ingestion points: Prompt input via CLI arguments or files in scripts/codex_bridge.py.
  • Boundary markers: No delimiters or safety instructions are added to the prompt before delegation.
  • Capability inventory: The delegated agent has the capability to execute shell commands and perform file system operations, with authority levels ranging up to full access.
  • Sanitization: No validation or filtering is performed on the prompt text before it is passed to the Codex CLI.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 16, 2026, 04:18 PM
Security Audit — agent-trust-hub — collaborating-with-codex