The Agent Skills Directory

[COMMAND_EXECUTION]: The bridge script scripts/codex-bridge.mjs implements a --context-cmd argument that is passed directly to execSync, allowing the execution of arbitrary shell commands on the host.
[COMMAND_EXECUTION]: The skill documentation in SKILL.md and references/protocol-reference.md explicitly recommends bypassing safety controls using flags like --dangerously-bypass-approvals-and-sandbox and setting approval_policy to never or sandbox_mode to danger-full-access.
[DATA_EXFILTRATION]: The --context-cmd feature captures command output and injects it into the LLM prompt, providing a mechanism to harvest and transmit sensitive local data to external model providers.
[EXTERNAL_DOWNLOADS]: The skill instructs the agent to install the @openai/codex package globally via npm. While from a well-known organization, global package installation requires elevated permissions and introduces external code.
[REMOTE_CODE_EXECUTION]: The bridge script facilitates the execution of shell commands and interaction with the Codex CLI, which is designed to generate and execute code autonomously.
[COMMAND_EXECUTION]: The skill has an indirect prompt injection surface because it processes output from the Codex model and provides shell execution capabilities. * Ingestion points: scripts/codex-bridge.mjs reads JSON output from the Codex CLI. * Boundary markers: Absent. * Capability inventory: execSync and spawn in scripts/codex-bridge.mjs. * Sanitization: Absent; uses a trivial regex blocklist for command names which is easily bypassed.

codex-orchestrator