new-feature
Warn
Audited by Gen Agent Trust Hub on May 7, 2026
Risk Level: MEDIUMPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill includes a "Process Sovereignty Declaration" (流程主权声明) that explicitly forbids the agent from calling specific external skills like brainstorming or planning during its execution. It attempts to override the platform's standard orchestration logic by claiming that its instructions have higher priority than the system's own rules.
- [COMMAND_EXECUTION]: The skill requires the agent to perform multiple file system operations, including scanning directories, moving files between folders, and writing updates to task files in the
.codex/tasks/directory. These operations are intended for state persistence but involve active manipulation of the local file system based on skill instructions. - [PROMPT_INJECTION]: There is a risk of Indirect Prompt Injection because the skill is designed to scan and resume tasks by reading content from files in the
.codex/tasks/directory. If these files are modified by an external actor or process, they could contain malicious instructions that the agent would then process as part of its workflow. - Ingestion points: The agent reads task files from the project's
.codex/tasks/directory (SKILL.md, resume-policy.md). - Boundary markers: No boundary markers or "ignore instructions" delimiters are used when the agent interpolates the content of these files into its context.
- Capability inventory: The agent has the capability to write and move files within the project environment, which could be abused if an injection occurs.
- Sanitization: The skill does not define any validation or sanitization steps for the data retrieved from the task files.
Audit Metadata