codex-review
Warn
Audited by Gen Agent Trust Hub on May 14, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill instructs the agent to dynamically build shell commands for the 'codex' CLI by interpolating user-provided parameters, such as the model name (
-m <model>) and reasoning effort level (-c model_reasoning_effort="<effort>"). This pattern is susceptible to command injection if the inputs are not properly sanitized to prevent shell metacharacters from executing arbitrary commands. - [INDIRECT_PROMPT_INJECTION]: The skill ingests untrusted data from the filesystem and conversation history to provide context for the code review and planning process.
- Ingestion points: Source code files, directory structures, git diffs, and implementation plan summaries are read and included in prompts.
- Boundary markers: The prompt templates utilize markdown headers like '## Context' and '## Scope' as delimiters, which are insufficient for isolating untrusted content from the rest of the instructions.
- Capability inventory: The skill uses shell execution capabilities and has broad filesystem access.
- Sanitization: No sanitization or escaping of the ingested file content or plan descriptions is performed before they are interpolated into the prompt sent to the Codex CLI.
Audit Metadata