The Agent Skills Directory

[COMMAND_EXECUTION]: The run-session.sh script executes the codex command, which allows the AI to run arbitrary shell commands on the host system to complete tasks. While this is the core feature of the skill, it presents a significant security risk if the AI-generated commands are malicious.
[REMOTE_CODE_EXECUTION]: The skill uses the Codex model to generate and execute code autonomously. The loop mechanism in run-session.sh allows for continuous, multi-session execution of remote-generated logic without manual review between steps.
[DATA_EXFILTRATION]: The --network flag in run-session.sh enables the --dangerously-bypass-approvals-and-sandbox option for the Codex CLI. This explicitly disables platform security controls and allows the autonomous agent to communicate with external servers, facilitating the exfiltration of sensitive project data or environment variables.
[PROMPT_INJECTION]: The skill processes untrusted user input (the task description) and interpolates it directly into the system prompts for the 'Initializer' and 'Executor' agents.
Ingestion points: The task_desc argument in run-session.sh is passed directly into the AI prompt.
Boundary markers: The prompts do not use robust delimiters or instructions to prevent the user description from overriding the agent's core safety guidelines or workflow logic.
Capability inventory: The agents have access to codex exec, file system writes, and optional network access.
Sanitization: No sanitization is performed on the task description content to prevent adversarial prompt injection.
[CREDENTIALS_UNSAFE]: The execution templates (executor-prompt.md) instruct the agent to run ls -la and cat files to 'get its bearings'. This pattern makes it easy for a compromised agent or a malicious task description to discover and read sensitive files like .env or .ssh configurations.

autonomous-skill