The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill recommends a global installation of '@openai/codex' via npm. This package is not a recognized official CLI from the stated vendor (OpenAI), suggesting a potential supply chain risk.
[REMOTE_CODE_EXECUTION]: The skill relies on the 'codex' CLI to generate and execute code locally. It explicitly instructs the agent to use the '--yolo' flag, which removes all sandboxing and manual approvals, allowing the autonomous tool to execute arbitrary commands on the host system.
[COMMAND_EXECUTION]: The skill makes heavy use of the terminal tool to clone external repositories, check out pull requests, and manage processes. These commands are often chained with the autonomous 'codex' tool, providing a wide attack surface for command injection or unintended system modifications.
[DATA_EXFILTRATION]: Because the skill operates on untrusted code (from external GitHub PRs) and uses an autonomous agent with full system permissions and internet access (for the OpenAI API), there is a high risk that sensitive environment variables, credentials, or local data could be exfiltrated.
[PROMPT_INJECTION]: The skill is highly vulnerable to Indirect Prompt Injection. It ingests data from external repositories ('git clone', 'gh pr checkout') and processes it with an autonomous coding agent. A malicious repository could contain hidden instructions that cause the agent to perform harmful actions on the user's machine.
Ingestion points: SKILL.md (lines 43, 62)
cloning and checking out external code.
Boundary markers: None. No delimiters or instructions to ignore embedded commands in the processed files are provided.
Capability inventory: Full shell access via 'terminal' tool (SKILL.md lines 19, 23, 30, 43, 51, 62, 70) and autonomous execution via 'codex --yolo'.
Sanitization: None. Data from untrusted sources is passed directly to an autonomous execution engine.

codex