codex-cli

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly supports adding arbitrary Model Context Protocol (MCP) servers (see "MCP Servers" with mcp_servers.my-api url = "https://my-server.example.com/mcp"), enables network access via sandbox_workspace_write.network_access and a --live-search flag, meaning the agent can fetch and consume untrusted third-party web content that could influence tool use and actions.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly documents and encourages bypassing sandboxing and approval controls (flags like --dangerously-bypass-approvals-and-sandbox / --yolo and sandbox mode danger-full-access), running arbitrary shell commands, and installing global packages, which directly enable the agent to modify the host system and compromise machine state.