codex-review-loop
Pass
Audited by Gen Agent Trust Hub on Jun 26, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes a bundled shell script
codex-review-loop.shto automate GitHub interactions. It also instructs the agent to run local verification tools such as compilers, linters, and test suites, which involves arbitrary command execution. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It retrieves review findings and comments from a GitHub PR and presents them to the agent as tasks to be performed.
- Ingestion points: Pull request comments and review bodies are fetched via the GitHub API in
codex-review-loop.sh(specifically within thecmd_findingsandcmd_pollfunctions). - Boundary markers: No delimiters or safety instructions are used to separate untrusted GitHub content from the agent's instructions.
- Capability inventory: The agent has the ability to write to the local filesystem, execute shell commands (for testing/linting), and perform repository actions like pushing commits and merging pull requests (
gh pr merge). - Sanitization: The script does not perform any validation or sanitization of the comment content before providing it to the agent.
Audit Metadata