codex-cli-best-practice

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). This skill explicitly instructs agents to fetch and ingest data from public third-party sources (e.g., the Open‑Meteo API via the weather MCP server and GitHub via MCP/github integrations) in SKILL.md and config examples, and that fetched content is parsed and used to drive downstream tool calls and skill invocation, which could enable indirect prompt injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill's .codex/config.toml launches MCP servers via npx (e.g., args ["-y", "@modelcontextprotocol/server-filesystem"] and ["-y", "@modelcontextprotocol/server-github"]), which fetch and execute remote npm packages at runtime and are used as required MCP dependencies for agent tool access.