The Agent Skills Directory

[METADATA_POISONING]: The skill references non-existent AI models including 'gpt-5.5', 'gpt-5.4', and 'gpt-5.3-codex-spark'. This misleading information could lead users to trust a tool based on fabricated capabilities.
[EXTERNAL_DOWNLOADS]: The instructions direct users to install third-party packages 'openai-codex-cli' (via pip) and '@openai/codex-cli' (via npm). These are not verified official tools from the vendor mentioned.
[COMMAND_EXECUTION]: The skill is centered around executing a local CLI tool ('codex') which is granted permissions to perform repository-wide analysis and modifications.
[INDIRECT_PROMPT_INJECTION]: The skill describes workflows where the tool processes untrusted repository content. This creates an attack surface for indirect prompt injection, particularly when used with the '--sandbox full' flag which allows the tool to write to the local filesystem.
Ingestion points: Local repository files are read and processed by the CLI tool during 'exec' commands.
Boundary markers: No specific boundary markers or instructions to ignore embedded commands are provided.
Capability inventory: The tool has file read/write capabilities on the local filesystem and network access via the CLI binary.
Sanitization: No sanitization or validation of the input code or the resulting AI-generated modifications is described.
[DYNAMIC_EXECUTION]: The refactoring and code transformation workflows involve the tool generating code that is then applied directly to the filesystem, which constitutes dynamic execution of AI-generated content without an explicit review step when using '--full-auto'.

codex-cli-delegation