Skills
skills/aradotso/codex-skills/claude-code-codex-delegation/Gen Agent Trust Hub

claude-code-codex-delegation

Pass

Audited by Gen Agent Trust Hub on May 19, 2026

Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill invokes an external CLI tool named codex using flags like --full-auto and --sandbox write. This configuration allows the tool to perform file modifications and other repository actions without explicit user approval for each operation, creating a risk of unintended changes if a prompt is misinterpreted.
  • [PROMPT_INJECTION]: The instructions direct the agent to suppress stderr output using 2>/dev/null. This suppresses 'thinking tokens' and error messages, effectively concealing the delegated tool's internal reasoning and potential failure states from the user's view.
  • [EXTERNAL_DOWNLOADS]: Standalone installation involves cloning code from github.com/skills-directory/skill-codex.git. This is an external repository from a source not recognized as a trusted vendor, and the skill lacks integrity verification for the downloaded content.
  • [PROMPT_INJECTION]: The skill presents a surface for indirect prompt injection by ingesting and summarizing output from the codex tool—which may process untrusted repository content—without using explicit boundary markers or sanitization logic.
  • Ingestion points: Resulting output from codex exec commands (SKILL.md).
  • Boundary markers: No markers identified for separating tool output from agent context.
  • Capability inventory: File system modification via codex exec --sandbox write and code execution via CLI (SKILL.md).
  • Sanitization: No sanitization or validation of tool output is described.
Audit Metadata
Risk Level
SAFE
Analyzed
May 19, 2026, 12:56 AM