The Agent Skills Directory

[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it interpolates untrusted user inputs into templates used to prompt the 'Codex' agent. The lack of delimiters or specific safety instructions regarding external data creates a surface where a malicious input could hijack the session.
Ingestion points: Multiple placeholders in SKILL.md and references/prompts.md, including {QUESTION}, {PROJECT_CONTEXT}, and {RELEVANT_FILES}.
Boundary markers: No XML-style delimiters, JSON schemas, or 'ignore instructions' warnings are used around interpolated variables.
Capability inventory: The 'Codex' agent has broad capabilities including file reading (cat, grep, rg) and outbound network access (curl) within a danger-full-access sandbox environment.
Sanitization: There is no evidence of filtering, escaping, or validation of user-provided content before it is added to the prompt.
[COMMAND_EXECUTION]: The skill performs several local command executions for session management, monitoring, and utility purposes.
It executes a local runner script via node "$RUNNER" with multiple subcommands.
It implements a json_esc function that uses node -e for inline JavaScript execution.
It monitors for unauthorized changes to the project using git status or a combination of find and stat commands.
[DATA_EXFILTRATION]: Although intended for research, the agent configuration presents a risk for data exposure. The 'Codex' agent is explicitly permitted to read project files and make outbound network requests via curl. In the event of a successful prompt injection, these combined capabilities could be used to transmit sensitive repository data to an external server.

codex-think-about