skills/iii-hq/workers/codex/Gen Agent Trust Hub

codex

Warn

Audited by Gen Agent Trust Hub on Jun 16, 2026

Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes the codex CLI on the host system to perform coding tasks and run shell commands within a specified working directory.
  • [REMOTE_CODE_EXECUTION]: The codex_config parameter allows users to define Model Context Protocol (MCP) servers with arbitrary executable commands (e.g., {"command": "gh-mcp"}), which facilitates the execution of arbitrary binaries on the host.
  • [COMMAND_EXECUTION]: The skill includes a danger-full-access sandbox mode that explicitly disables the underlying security sandbox, providing unrestricted access to the host filesystem and environment.
  • [DATA_EXFILTRATION]: The skill supports raw SDK options such as networkAccessEnabled and webSearchMode. These capabilities, when combined with the ability to read any file in the host directory, create a risk of sensitive data exfiltration.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests data from local files and web search results, which can influence the agent's behavior.
  • Ingestion points: Files located in the cwd (working directory) and external content from web searches.
  • Boundary markers: None identified in the skill instructions to separate untrusted data from agent instructions.
  • Capability inventory: File writing, shell command execution, and invocation of other iii bus functions.
  • Sanitization: Relies on the Codex CLI's internal sandbox, which can be manually disabled by the user.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 16, 2026, 02:44 PM
Security Audit — agent-trust-hub — codex