The Agent Skills Directory

[COMMAND_EXECUTION]: The skill instructs the agent to execute shell commands directly, primarily involving the codex CLI binary and standard Linux utilities like mktemp and cat for output management.
[COMMAND_EXECUTION]: The agent is guided to use the codex tool which can have broad permissions, including workspace write access when used with flags like --sandbox workspace-write or --full-auto.
[PROMPT_INJECTION]: Indirect Prompt Injection Surface:
Ingestion points: The skill ingests untrusted data in the form of code diffs and repository files during automated review cycles (e.g., in Pattern 1, 4, and 6 in SKILL.md).
Boundary markers: The prompt templates provided in references/prompts.md lack explicit delimiters (e.g., XML tags or special tokens) to separate instructions from the untrusted code being analyzed.
Capability inventory: The codex CLI tool as described in SKILL.md can perform workspace writes and execute arbitrary prompts, providing an action surface for malicious instructions embedded in code.
Sanitization: No sanitization, escaping, or filtering of the ingested code diffs is mentioned in the instruction set.
[SAFE]: The skill includes several security best practices, such as recommending --sandbox read-only as the default mode for review tasks.
[SAFE]: Detailed guidance is provided on managing command output to prevent buffer issues and to allow for human oversight via file redirection.

codex-review