codex-mentor
Fail
Audited by Gen Agent Trust Hub on Apr 14, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill utilize the
codexCLI with a--full-autoflag, enabling the autonomous execution of code or commands generated by a remote AI model on the user's local system. - [EXTERNAL_DOWNLOADS]: Users are directed to install
@openai/codexvia NPM. This package name mimics official branding but is not a verified or standard distribution from the vendor, presenting a potential supply-chain threat. - [COMMAND_EXECUTION]: The skill performs shell operations and CLI calls to process project data. It explicitly bypasses user confirmation for these actions, allowing the agent to modify files and execute logic without oversight.
- [DATA_EXFILTRATION]: Local source code, git diffs, and project metadata are read from the filesystem and transmitted to an external service via the CLI tool, potentially exposing sensitive information.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through the processing of untrusted project data.
- Ingestion points: Project files read via
catand version control data fromgit diff. - Boundary markers: Lacks explicit delimiters or instructions to ignore embedded commands within the ingested code.
- Capability inventory: Includes file system write access for applying fixes, file system read access, and arbitrary command execution via the
codexCLI. - Sanitization: No validation or filtering is applied to the code before it is passed to the AI model or executed.
Recommendations
- AI detected serious security threats
Audit Metadata