codex-fluent
Pass
Audited by Gen Agent Trust Hub on Jul 2, 2026
Risk Level: SAFEPROMPT_INJECTIONNO_CODE
Full Analysis
- [PROMPT_INJECTION]: The skill's primary workflow relies on "handoff documents" (e.g., stored in
docs/codex-handoffs/) which are designed to be read by the agent to resume work in new sessions. This mechanism creates an indirect prompt injection surface as the agent is instructed to follow instructions embedded within these external files. - Ingestion points: The
SKILL.mdworkflow andreferences/handoff-template.mdguide the agent to read repository files and specific handoff markdown documents. - Boundary markers: The reactivation prompt template includes instructions for the agent to follow, but it lacks specific delimiting markers or "ignore embedded instructions" directives to isolate the handoff content from the agent's core logic.
- Capability inventory: The agent is granted the capability to perform file system operations (moving, rotating, and backing up files) within the user's home directory (
~/.codex/and~/Documents/Codex/). - Sanitization: There is no mention of content validation, escaping, or sanitization for the data processed from the handoff files.
- [NO_CODE]: The skill is composed entirely of markdown instructions, checklists, and templates. It does not include any Python or Node.js scripts, binary executables, or configuration fields that trigger automated tool execution.
Audit Metadata