codex
Pass
Audited by Gen Agent Trust Hub on Apr 6, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill invokes
git diffto extract code changes for analysis. - [DATA_EXFILTRATION]: Project source code and diffs are transmitted to an external service (OpenAI) via the
mcp__codex__codextool. This is the intended function of the skill and is initiated by the user. - [PROMPT_INJECTION]: The skill is exposed to indirect prompt injection (Category 8) because it passes untrusted content from the codebase into a prompt for another AI model. 1. Ingestion points:
git diffoutput and project files specified in the prompt. 2. Boundary markers: Absent; the skill does not wrap the processed code in delimiters or provide 'ignore embedded instructions' guards. 3. Capability inventory: The skill performs file reads and external tool calls but has no write access. 4. Sanitization: None; code content is interpolated directly into prompts for the downstream tool.
Audit Metadata