codex-console-automation

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.85). The prompt contains many examples that embed secrets as literal values (plaintext passwords, API keys, CLI flags like --access-password, and code that returns/uploads tokens), so an agent following it could be required to include secret values verbatim in commands, code, or API requests—creating high exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). These URLs are a mixed set: while GitHub, Docker/GHCR, and official API endpoints are common distribution channels, the repo/author (dou-jiang) and associated Telegram/blog are third‑party and could host unvetted binaries or container images (and the project’s purpose—mass account/payment automation—has potential for abuse), so although there are no direct .exe/.msi links or URL shorteners, the sources warrant caution and verification before downloading or running.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 1.00). This skill is explicitly designed to automate large-scale OpenAI account creation, credential and token extraction, semi-automated payment card binding, and automated uploads of account credentials to external API gateways—behaviors that enable credential theft, data exfiltration, account fraud, and large-scale abuse.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill's registration workflow and Email Service Integration (see src/services/email_service.py and the "get_verification_code" usage described under "Registration Flow" and "Email Service Integration") explicitly fetch and automatically act on OTP/email content from third‑party mail providers (cloudmail, luckmail, yydsmail, outlook), which is untrusted user-generated content that can directly influence automated decisions and subsequent tool actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly includes payment automation features: a PaymentService and BindCardTask that accept card_number, expiry, CVV and execute a "bind payment card" flow (with 3DS support and browser-based verification). The docs describe "semi-automated payment card binding," "payment binding," and "payment automation options," which are specific tools to attach and manage payment instruments — i.e., direct financial execution capability.