The Agent Skills Directory

[COMMAND_EXECUTION]: The skill executes external shell commands using subprocess.Popen and subprocess.run to interact with the codex CLI. Although it uses shell=False to mitigate direct shell injection, the wrapper scripts expose high-privilege flags such as --sandbox danger-full-access and --yolo. This allows the agent to bypass recommended safety constraints (like read-only access) if influenced by malicious input.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it processes data from the local repository and passes it to an external LLM (Codex). 1. Ingestion points: Untrusted content from files in the repository and user prompts are ingested via scripts/codex_exec.py and scripts/codex_review.py. 2. Boundary markers: No explicit boundary markers or isolation techniques are employed to distinguish between instructions and data in the generated prompts. 3. Capability inventory: The skill can call the codex command, which is capable of extensive filesystem interaction and code execution. 4. Sanitization: There is no evidence of sanitization or filtering of the content read from the workspace before it is sent to the external LLM.

codex-collab