The Agent Skills Directory

[PROMPT_INJECTION]: The skill uses authoritative override markers such as "⚠️ Important" and "You must" in its reference prompts (references/codex-prompt-explain.md) to force the AI to prioritize specific research behaviors over its standard safety or operational guidelines.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it interpolates untrusted file content directly into the prompt for the Codex tool.
Ingestion points: Target file content is read into the ${CODE_CONTENT} variable (SKILL.md, Step 1).
Boundary markers: The content is wrapped in markdown code blocks within the prompt template, but these can be escaped and there are no explicit "ignore embedded instructions" warnings.
Capability inventory: The skill allows use of Read, Grep, Glob, and the mcp__codex__codex tool.
Sanitization: There is no sanitization or validation performed on the ${CODE_CONTENT} or file paths before interpolation.
[COMMAND_EXECUTION]: The prompt template in references/codex-prompt-explain.md provides the agent with shell command templates (ls, grep, cat) that include interpolated variables. If the agent or tool executes these strings verbatim, it creates a surface for command injection via crafted file names or function names extracted from the code.
[DATA_EXFILTRATION]: The research workflow instructs the agent to read files based on paths identified within the analyzed code (e.g., cat <dependency path>). This creates a risk of sensitive data exposure if the analyzed code contains crafted import or dependency paths pointing to sensitive system or configuration files (like .env or SSH keys).

codex-explain