how
Warn
Audited by Gen Agent Trust Hub on Jul 10, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to execute shell scripts and binaries not provided in the package, such as
pstack/scripts/spawn-codex-worker.shandcodex exec. Executing scripts from unverified paths on the host system represents a significant security risk.\n- [PROMPT_INJECTION]: The skill includes directives to override platform model defaults and reasoning tiers with custom, non-standard identifiers likegpt-5.6-sol. This attempts to bypass the agent's standard operating configuration and redirect reasoning to unverifiable model profiles.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted codebase data and interpolates it directly into synthesis prompts.\n - Ingestion points: Code snippets and symbol definitions are gathered from the local codebase using
ReadandGrepin theexplorer-prompt.mdfile.\n - Boundary markers: The
{EXPLORER_FINDINGS_ALL}variable inexplainer-prompt.mdis not enclosed in security delimiters (e.g., XML tags) nor accompanied by instructions to ignore embedded commands.\n - Capability inventory: The agent environment has shell access (
spawn-codex-worker.sh), file system write access, and Git integration.\n - Sanitization: There is no evidence of filtering or escaping logic applied to the data gathered by explorer agents before it is passed to the synthesizer.\n- [REMOTE_CODE_EXECUTION]: The "Codex delegation" and "Codex CLI workers" patterns indicate that code analysis results are sent to an external, third-party execution environment or model endpoint. This architecture could facilitate unauthorized remote code execution or sensitive data exposure if the external environment is compromised.
Audit Metadata