The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/codex-async acts as a wrapper for an external CLI tool named codex. It invokes codex exec with the --full-auto flag, which allows for autonomous operations without human intervention.
[COMMAND_EXECUTION]: The skill documentation explicitly defines a --sandbox option with a danger-full-access setting. This mode provides the execution engine with high-privilege access to the environment, increasing the risk of significant system impact if malicious instructions are processed.
[COMMAND_EXECUTION]: The script manages background tasks by writing PIDs and metadata to /tmp/codex-tasks. On shared systems, the use of predictable paths in /tmp without strict permissions can lead to local privilege escalation or task manipulation.
[PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection.
Ingestion points: The skill reads user prompts and operates on files within the specified --cd (workdir) path via codex exec.
Boundary markers: No boundary markers or 'ignore' instructions are used to delimit external code from system instructions.
Capability inventory: The skill can execute arbitrary commands and modify files through the codex CLI with full autonomy.
Sanitization: While the prompt is escaped using json.dumps for storage in a local metadata file, the content passed to the codex executor is unvetted, allowing content within the project files to potentially hijack the agent's logic.

codex-agent