codex-agent

Fail

Audited by Gen Agent Trust Hub on Jun 19, 2026

Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
  • [COMMAND_EXECUTION]: The helper script scripts/codex-wrapper.sh is vulnerable to arbitrary command injection. It uses the eval shell command to execute a string constructed from unvalidated inputs such as $WORKDIR, $SESSION, and $TASK. A malicious project name or task description could execute arbitrary system commands on the user's machine.
  • [EXTERNAL_DOWNLOADS]: The skill instructs users to install software using commands that are either deceptive or point to unrelated packages. Specifically, it recommends npm install -g @openai/codex (a package not associated with an official OpenAI CLI) and brew install --cask codex (which refers to a Digital Comics Reader, not a coding tool). This poses a severe risk of users unknowingly installing malicious or incorrect software.
  • [PROMPT_INJECTION]: The skill introduces a surface for indirect prompt injection. The primary agent is instructed to read 'fixes' from a temporary file generated by the external Codex tool and apply them directly to the source code using the Edit tool. If the external tool or the data it processes is compromised, it can force the agent to inject malicious code into the project without proper sanitization.
  • [COMMAND_EXECUTION]: The skill documentation encourages high-risk behavior by highlighting danger-full-access sandbox modes and approval = "never" configurations, which bypass standard security guardrails and human-in-the-loop verification for file system operations.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 19, 2026, 03:58 PM
Security Audit — agent-trust-hub — codex-agent