codex-skill
Fail
Audited by Gen Agent Trust Hub on Jun 23, 2026
Risk Level: HIGHCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill provides instructions and templates to execute the
codexCLI using flags that bypass security controls, such as--dangerously-bypass-approvals-and-sandboxand--full-auto, which skip user approval prompts and sandboxing mechanisms. - [REMOTE_CODE_EXECUTION]: The skill establishes an automated workflow where an external AI model can execute arbitrary code on the system through shell commands and tmux sessions without human oversight.
- [DATA_EXFILTRATION]: The instructions promote a
danger-full-accessmode that grants the agent unrestricted system and network access. When combined with automated git operations likegit pushand GitHub CLI interactions, this enables the potential exfiltration of sensitive local information to remote repositories. - [PROMPT_INJECTION]: The workflow is susceptible to indirect prompt injection during multi-model code reviews. It ingests untrusted data from pull request diffs and processes them through AI models without sanitization or boundary markers.
- Ingestion points: Pull request diffs are ingested via
gh pr diffin the review step. - Boundary markers: No explicit delimiters or instructions are used to ignore instructions embedded within the diff content.
- Capability inventory: The agent has access to full system and network operations via the
codexflags, as well as file writes and git/gh CLI tools. - Sanitization: No sanitization or validation of the diff data is performed before it is passed to the AI for analysis.
- [EXTERNAL_DOWNLOADS]: The skill suggests installing the
@openai/codexpackage from the official NPM registry.
Recommendations
- AI detected serious security threats
Audit Metadata