omx
Fail
Audited by Gen Agent Trust Hub on Mar 20, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documentation explicitly recommends using the
--madmaxflag, which it defines as mapping to the Codex CLI--dangerously-bypass-approvals-and-sandboxflag. This instructs the agent to operate without security constraints or mandatory human approvals. - [EXTERNAL_DOWNLOADS]: Installation requires downloading and globally installing an npm package (
oh-my-codex) from an external repository and running setup and diagnostic commands that execute third-party code on the host system. - [COMMAND_EXECUTION]: The skill supports a plugin architecture using lifecycle hooks stored in
.omx/hooks/*.mjs. These local files are executed during session events, providing a mechanism for persistent arbitrary code execution within the agent's runtime environment. - [PROMPT_INJECTION]: The orchestration layer ingests external data from project files and custom instructions without sanitization or boundary markers, creating a surface for indirect prompt injection where malicious code could hijack agent behaviors.
- Ingestion points: Project-level
AGENTS.mdfile,.omx/hooks/files, and local files accessed via Grep and Glob tools. - Boundary markers: No explicit delimiters or instruction-ignore warnings are identified in the skill logic.
- Capability inventory: Extensive permissions including Bash execution, file write access, and coordination of up to 30 specialized agents.
- Sanitization: No evidence of input validation, escaping, or filtering for external content interpolated into prompts.
Recommendations
- AI detected serious security threats
Audit Metadata