codex-review
Warn
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill includes deceptive metadata and safety claims, such as a future verification date (2026-06-04) and references to fictional or future model versions (gpt-5.5). These claims are designed to mislead the agent or user about the skill's stability and security status.
- [PROMPT_INJECTION]: The skill creates an automated loop where output from an external model (Codex) is ingested and used by the primary agent to modify files (PLAN.md). This establishes a surface for indirect prompt injection where an external source could influence the agent's behavior and project contents.
- [COMMAND_EXECUTION]: The skill relies on the execution of a non-standard CLI tool (codex) via shell commands, including capturing output to temporary files and resuming persistent sessions with dynamically generated arguments.
- [DATA_EXFILTRATION]: The skill's primary function involves sending repository content and implementation plans to a third-party service via the external codex command. While this is the stated purpose, it represents a high-stakes data flow to an external model provider.
Audit Metadata