codex-sandbox

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). Yes — the skill's scripts (scripts/codex_sandbox.py: e.g., ensure_bare_mirror uses "git clone --bare <remote_url>" and multiple "git fetch"/"git clone" calls, and SKILL.md instructs launching the agent inside the created sandbox) fetch and clone arbitrary git remotes (remote_url/origin) into the sandbox where the agent will run and thus can read/act on untrusted, user-generated repository content that could alter its behavior.