handoff-codex
Warn
Audited by Gen Agent Trust Hub on Mar 25, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructions require the installation of a global NPM package '@openai/codex' ('npm install -g @openai/codex'). This package name is non-standard and does not correspond to the official verified distribution channels for OpenAI tools, posing a potential supply chain risk.
- [COMMAND_EXECUTION]: The skill is designed to generate and run shell commands via the 'codex' CLI. The instructions provided include running arbitrary strings as commands, such as 'codex "Update login function..."', which can be misused if the strings are not properly controlled.
- [REMOTE_CODE_EXECUTION]: The combination of a global installation of an unverified package and subsequent shell command execution creates a path for potential remote code execution on the user's system.
- [PROMPT_INJECTION]: The skill defines a structured format for delegating tasks that relies on user-supplied input (e.g., 'Goal', 'Details'). If this input is sourced from untrusted external data, an attacker could manipulate the generated command to perform unauthorized actions.
- Ingestion points: SKILL.md (via the 'Task for Codex' template sections)
- Boundary markers: Absent; there are no delimiters used to isolate untrusted data from the command template
- Capability inventory: Shell execution of the 'codex' CLI tool
- Sanitization: Absent; the skill does not suggest any escaping or validation of the task strings before they are passed to the CLI
Audit Metadata