codex-retrospective
Pass
Audited by Gen Agent Trust Hub on Jun 24, 2026
Risk Level: SAFEPROMPT_INJECTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through its core retrospective process. It instructs the agent to analyze 'session history', 'Memories', and 'Chronicle', which are untrusted data sources containing previous user interactions and potential attacker-controlled content.
- Ingestion points: The analysis prompt in
references/retrospective-prompt.mddirects the agent to review all recent session history, including context and memory stores. - Boundary markers: No explicit delimiters or instructions are provided to the agent to distinguish between its own meta-instructions and the untrusted content being analyzed within the history.
- Capability inventory: The agent has the capability to propose permanent behavioral modifications to
AGENTS.mdand generate new executable logic in the form of.mdskill files. - Sanitization: There is no evidence of filtering or sanitization of the history data before it is processed by the retrospective logic.
- [DATA_EXFILTRATION]: The skill involves the systematic processing of interaction history which often contains sensitive data such as project details, internal paths, and potentially credentials if they were previously mentioned in a session.
- Exposure Risk: While the skill does not contain direct network exfiltration commands, the process of summarizing history into reports (as seen in
references/examples/good-retrospective-output.md) risks exposing or re-stating sensitive information from past sessions in a new context, which could lead to accidental data disclosure in logs or shared configurations.
Audit Metadata