parallel-codex-pr-review
Warn
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [COMMAND_EXECUTION]: The script
scripts/parallel_reviews.shis vulnerable to command or argument injection. It usesbash -cinside anxargscall to execute thecodexcommand, interpolating environment variables likePARALLEL_REVIEW_REASONINGdirectly into the shell string. Maliciously crafted input in the--reasoning-effortargument can break out of the intended command structure. - Evidence:
scripts/parallel_reviews.shlines 101-112, specifically the expansion of$PARALLEL_REVIEW_REASONINGinside thebash -cblock. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface. It ingests PR review data—which includes code and comments from potentially untrusted PRs—and asks the agent to "Deduplicate and validate all the findings" and create an "execution plan to fix valid findings." An attacker could include malicious instructions in code comments to influence the agent's synthesis or the resulting fix plan.
- Ingestion points: The workflow in
SKILL.mdspecifies reading review blocks containing PR content. - Boundary markers: There are no explicit delimiters or instructions to treat the review data as untrusted or to ignore embedded instructions.
- Capability inventory: The skill can execute shell scripts and access repository files.
- Sanitization: No sanitization or escaping of the PR content is performed before the agent processes it.
- [COMMAND_EXECUTION]: The skill relies on an external, non-standard CLI tool named
codexfor its core functionality. - Evidence:
scripts/parallel_reviews.shline 105:codex e review --json .... - [DATA_EXFILTRATION]: The script interacts with the GitHub CLI (
gh) and Git metadata to detect branch names, which involves accessing repository state and potentially utilizing local authentication tokens. - Evidence:
scripts/parallel_reviews.shlines 58 and 67.
Audit Metadata