arena
Warn
Audited by Gen Agent Trust Hub on Jul 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill explicitly directs the agent to execute the
spawn-codex-workerscript and usedirect codex execto launch background CLI workers. - [PROMPT_INJECTION]: The instructions mandate overriding default agent behaviors, specifically requiring the replacement of standard model defaults with specific requested models like "gpt-5.6-sol" and overriding Cursor-specific commands with direct host terminal operations.
- [PROMPT_INJECTION]: The skill creates an indirect prompt injection surface by instructing the agent to read and "graft" content from multiple subagent outputs ("candidates") without explicit sanitization or boundary markers.
- Ingestion points: Candidate outputs and rationales produced in Phase B and processed in Phases C, D, and E.
- Boundary markers: The instructions do not specify any delimiters or warnings to ignore embedded instructions within candidate content.
- Capability inventory: The skill utilizes shell execution via
codex exec, file system writes to/tmp/and git worktrees, and background process management. - Sanitization: No validation or filtering is mentioned for the content synthesized from the various candidates.
- [DATA_EXFILTRATION]: The skill uses
/tmp/arena-<slug>/for storing output from multiple parallel attempts, which could lead to sensitive data exposure in multi-user environments if permissions are not strictly managed.
Audit Metadata