Skills
skills/hoangvantuan/claude-plugin/codex-image/Gen Agent Trust Hub

codex-image

Warn

Audited by Gen Agent Trust Hub on May 12, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs users to install a global npm package @openai/codex. This package is not an official OpenAI distribution and represents an unverified dependency from an unknown source.\n- [COMMAND_EXECUTION]: The script scripts/batch-generate.py uses subprocess.run() to execute the codex CLI tool. This allows the skill to execute external system commands based on script logic.\n- [PROMPT_INJECTION]: The skill interpolates raw user-provided image descriptions directly into the command-line arguments for the codex tool in scripts/batch-generate.py. Evidence chain:\n
  • Ingestion points: User prompts via --prompts or --prompt-file arguments in batch-generate.py.\n
  • Boundary markers: None; the input is directly concatenated with instructions.\n
  • Capability inventory: Subprocess execution of the codex binary.\n
  • Sanitization: None; the string is passed raw into the tool context.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 12, 2026, 07:23 AM