codex-orange-book-guide

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The skill includes explicit actions that read, echo, copy, or embed secrets verbatim (e.g., echo $GITHUB_TOKEN, copying OAuth client ID/secret into .env.local, example GITHUB_TOKEN values), which requires the agent to handle and output secret values directly.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly shows fetching and using open-web content — e.g., "codex skill install https://..." for installing skills from arbitrary URLs and the Chrome extension examples ("Extract all product prices from this page", "Fill out this form") — meaning the agent will read/interpret untrusted public web pages and act on them.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 1.00). The skill shows a runtime command that installs external skills which directly control agent behavior—e.g., "codex skill install https://skills.ara.so/nextjs-14-app-router.md" fetches and installs remote skill content that would be injected into the agent's prompts/instructions at runtime.