claude-code-to-codex
Warn
Audited by Gen Agent Trust Hub on Jun 20, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the agent to use npx continues or bunx continues to perform session migration. This involves downloading and executing a third-party package from an external repository at runtime.
- [DATA_EXFILTRATION]: The skill accesses sensitive configuration files including ~/.claude/settings.json, ~/.claude.json, and session transcripts in ~/.claude/projects/. These files contain project history and user-specific configuration data.
- [COMMAND_EXECUTION]: The migration process requires the agent to execute shell commands such as claude, codex, and git. It also creates new Codex hooks and skills based on instructions found in the source project.
- [PROMPT_INJECTION]: The skill processes untrusted instructions from CLAUDE.md and custom command markdown files. These inputs are used to generate new agent behavior and could contain malicious instructions. Ingestion points: CLAUDE.md, .claude/commands/.md, ~/.claude/projects/.jsonl. Boundary markers: Absent. Capability inventory: Shell command execution, file-system writes, and network access. Sanitization: No explicit validation or filtering of external configuration content.
Audit Metadata