Skills
skills/boshu2/agentops/codex-team/Gen Agent Trust Hub

codex-team

Warn

Audited by Gen Agent Trust Hub on May 18, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill provides instructions for using the codex CLI with flags like --full-auto and -s danger-full-access. These flags grant the agent significant capabilities, including workspace-wide write access or full system access in specific environments.
  • [EXTERNAL_DOWNLOADS]: The instructions recommend the global installation of the @openai/codex Node.js package. This is a third-party dependency whose security posture is not verified within the skill's context.
  • [PROMPT_INJECTION]: The multi-wave execution strategy involves reading the output of previous agents to provide context for subsequent tasks. This creates a surface for indirect prompt injection, where malicious content generated or encountered by an earlier agent could influence the behavior of later agents in the chain.
  • Ingestion points: Result files in .agents/swarm/results/ and .agents/codex-team/ (as described in the produces field and Step 3/5 of SKILL.md).
  • Boundary markers: None explicitly defined in the prompt generation examples to isolate summarized content from previous agent outputs.
  • Capability inventory: The orchestrator uses the Bash tool to execute shell commands and spawn_agent to create sub-agents.
  • Sanitization: No specific sanitization or filtering of the content read from previous waves is described before it is summarized and injected into new prompts.
  • [SAFE]: The skill references configuration and changelog information from the official Anthropics GitHub repository (https://raw.githubusercontent.com/anthropics/claude-code/main/CHANGELOG.md), which is a well-known and trusted source.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 18, 2026, 02:29 PM