codex-cli-best-practice
Pass
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documents the implementation of shell hooks (e.g., .codex/hooks/lint-check.sh) and provides examples for project initialization using shell commands.\n- [EXTERNAL_DOWNLOADS]: Documentation includes instructions for installing system packages via Homebrew and cloning reference repositories from GitHub.\n- [REMOTE_CODE_EXECUTION]: Shows configuration for running external tool servers via npx (e.g., @modelcontextprotocol/server-filesystem) and executing local Python scripts to process data.\n- [DATA_EXFILTRATION]: Provides guidance on managing sensitive authentication tokens, such as OPENAI_API_KEY and GITHUB_TOKEN, through environment variables and configuration files.\n- [PROMPT_INJECTION]: Identified an attack surface for indirect prompt injection where the agent processes content from untrusted external sources.\n
- Ingestion points: The weather-agent and data-fetcher examples retrieve data from the Open-Meteo API and GitHub repository metadata.\n
- Boundary markers: No specific delimiters or instructions to ignore embedded prompts are present in the provided templates.\n
- Capability inventory: Capabilities include arbitrary shell command execution via hooks, filesystem access via MCP, and Python script execution.\n
- Sanitization: No input validation or sanitization logic is demonstrated in the reference implementations provided in the guide.
Audit Metadata