codex-cli-hooks
Pass
Audited by Gen Agent Trust Hub on May 5, 2026
Risk Level: SAFEPROMPT_INJECTION
Full Analysis
- [PROMPT_INJECTION]: The skill instructions and examples describe a workflow that ingests untrusted data, creating an attack surface for indirect prompt injection.
- Ingestion points: The
stdinpayload of hook scripts forPreToolUse,PostToolUse, andUserPromptSubmitcontains raw user prompts, shell commands, and tool results. - Boundary markers: The documentation and examples do not describe or implement boundary markers or instructions to ignore instructions embedded within the processed data.
- Capability inventory: Hooks can influence agent behavior by denying tool use, replacing tool outputs with feedback, and injecting
systemMessageoradditionalContextinto the prompt. - Sanitization: No sanitization or validation of the incoming JSON payload is mentioned or shown in the examples.
Audit Metadata