Skills
skills/aradotso/codex-skills/codexsaver-cost-router/Gen Agent Trust Hub

codexsaver-cost-router

Fail

Audited by Gen Agent Trust Hub on May 16, 2026

Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The installation instructions require cloning a repository from an unverified GitHub account (fendouai/CodexSaver) and installing it locally via pip, which introduces a supply chain risk.
  • [COMMAND_EXECUTION]: The delegate_work_packet tool features an allowed_commands parameter that executes shell commands on the local system. If these commands are influenced by malicious data or an untrusted model response, they could be used to perform unauthorized actions.
  • [DATA_EXFILTRATION]: The skill is designed to send local project context and files to third-party LLM providers (DeepSeek, OpenAI, Anthropic, etc.). While this is the intended functionality, it creates a risk of sensitive data exposure if protected paths are not strictly configured.
  • [PROMPT_INJECTION]: The skill has a significant attack surface for indirect prompt injection because it processes untrusted task descriptions and file content.
  • Ingestion points: task_description and files context across all tool definitions in SKILL.md.
  • Boundary markers: Absent; there are no clear delimiters or instructions for the agent to ignore embedded commands within the processed files.
  • Capability inventory: The skill can execute shell commands (allowed_commands) and modify files through sandboxed patches.
  • Sanitization: No sanitization or validation logic is described for the content being processed or the commands being executed.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 16, 2026, 06:25 PM