codex
Warn
Audited by Gen Agent Trust Hub on Jun 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes the
codexCLI on the host system to perform coding tasks and run shell commands within a specified working directory. - [REMOTE_CODE_EXECUTION]: The
codex_configparameter allows users to define Model Context Protocol (MCP) servers with arbitrary executable commands (e.g.,{"command": "gh-mcp"}), which facilitates the execution of arbitrary binaries on the host. - [COMMAND_EXECUTION]: The skill includes a
danger-full-accesssandbox mode that explicitly disables the underlying security sandbox, providing unrestricted access to the host filesystem and environment. - [DATA_EXFILTRATION]: The skill supports raw SDK options such as
networkAccessEnabledandwebSearchMode. These capabilities, when combined with the ability to read any file in the host directory, create a risk of sensitive data exfiltration. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests data from local files and web search results, which can influence the agent's behavior.
- Ingestion points: Files located in the
cwd(working directory) and external content from web searches. - Boundary markers: None identified in the skill instructions to separate untrusted data from agent instructions.
- Capability inventory: File writing, shell command execution, and invocation of other iii bus functions.
- Sanitization: Relies on the Codex CLI's internal sandbox, which can be manually disabled by the user.
Audit Metadata