codex-review
Pass
Audited by Gen Agent Trust Hub on Mar 23, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to run a custom command-line tool named
codex. It utilizes several flags like--uncommitted,--commit, and--baseto scope the review process, often passing complex prompt strings via shell subshells and heredocs. - [DATA_EXFILTRATION]: By design, the skill extracts code diffs and project metadata (such as conventions from
CLAUDE.md) and transmits them to an external service for analysis via thecodexcommand. This behavior is consistent with the skill's primary objective. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface (Category 8) as it processes data from git diffs which could contain adversarial content designed to mislead the analysis model.
- Ingestion points: Ingests git diff data, branch names, and project-level documentation (
CLAUDE.md). - Boundary markers: The instructions use shell quotes and heredocs, but the skill lacks explicit markers or delimiters to separate the trusted review instructions from the untrusted code content processed by the external tool.
- Capability inventory: The skill can execute shell commands, read local files, and write review output to the filesystem.
- Sanitization: No validation or sanitization of the input code or repository metadata is implemented before the data is passed to the external reviewer tool.
Audit Metadata