lcx-doctor

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.90). The doctor workflow requires capturing and citing command output and file contents (e.g., $CODEX_HOME/config.toml, plugin manifests, stderr) verbatim as evidence for each verdict, which can force the model to disclose API keys or other secrets present in those files or outputs.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.85). The required workflow clones public GitHub repos (gh repo clone / git clone from code-yeongyu/lazycodex and openai/codex) into /tmp, and then reads their installer/config files from those checkouts for comparisons—so outsider-authored free text from public web sources is ingested into the agent’s LLM context via the /tmp/*-source materialization and subsequent file reads.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly runs git/gh clone/fetch against GitHub repos (e.g. https://github.com/code-yeongyu/lazycodex and https://github.com/openai/codex) at runtime to materialize /tmp checkouts that the doctor then reads and uses to drive its diagnostics, so fetched remote content directly controls the agent's prompts/behavior.