codex-review-loop

Pass

Audited by Gen Agent Trust Hub on Jun 26, 2026

Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The skill executes a bundled shell script codex-review-loop.sh to automate GitHub interactions. It also instructs the agent to run local verification tools such as compilers, linters, and test suites, which involves arbitrary command execution.
  • [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It retrieves review findings and comments from a GitHub PR and presents them to the agent as tasks to be performed.
  • Ingestion points: Pull request comments and review bodies are fetched via the GitHub API in codex-review-loop.sh (specifically within the cmd_findings and cmd_poll functions).
  • Boundary markers: No delimiters or safety instructions are used to separate untrusted GitHub content from the agent's instructions.
  • Capability inventory: The agent has the ability to write to the local filesystem, execute shell commands (for testing/linting), and perform repository actions like pushing commits and merging pull requests (gh pr merge).
  • Sanitization: The script does not perform any validation or sanitization of the comment content before providing it to the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 26, 2026, 02:28 AM
Security Audit — agent-trust-hub — codex-review-loop