codex-agent
Fail
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The helper script
scripts/codex-wrapper.shis vulnerable to arbitrary command injection. It uses theevalshell command to execute a string constructed from unvalidated inputs such as$WORKDIR,$SESSION, and$TASK. A malicious project name or task description could execute arbitrary system commands on the user's machine. - [EXTERNAL_DOWNLOADS]: The skill instructs users to install software using commands that are either deceptive or point to unrelated packages. Specifically, it recommends
npm install -g @openai/codex(a package not associated with an official OpenAI CLI) andbrew install --cask codex(which refers to a Digital Comics Reader, not a coding tool). This poses a severe risk of users unknowingly installing malicious or incorrect software. - [PROMPT_INJECTION]: The skill introduces a surface for indirect prompt injection. The primary agent is instructed to read 'fixes' from a temporary file generated by the external Codex tool and apply them directly to the source code using the
Edittool. If the external tool or the data it processes is compromised, it can force the agent to inject malicious code into the project without proper sanitization. - [COMMAND_EXECUTION]: The skill documentation encourages high-risk behavior by highlighting
danger-full-accesssandbox modes andapproval = "never"configurations, which bypass standard security guardrails and human-in-the-loop verification for file system operations.
Recommendations
- AI detected serious security threats
Audit Metadata