collaborating-with-codex
Fail
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The bridge script
scripts/codex_bridge.pyexecutes thecodexbinary usingsubprocess.Popento perform arbitrary tasks defined in the--PROMPTargument provided by the agent. - [COMMAND_EXECUTION]: The skill explicitly disables safe sandboxing options. Both the
SKILL.mdinstructions and thescripts/codex_bridge.pylogic reject theread-onlysandbox level, defaulting instead todanger-full-access. - [COMMAND_EXECUTION]: The script implements an automatic downgrade mechanism in
probe_bwrap_sandboxthat reverts todanger-full-accessif thebwrap(bubblewrap) utility cannot initialize correctly, which is a common occurrence in restricted environments like WSL, Docker, or specific Linux distributions (Ubuntu 24.04+). - [COMMAND_EXECUTION]: On Windows platforms, the script wraps commands in
cmd.exe /cand uses custom character escaping for the prompt text. This implementation introduces a potential command injection surface if the escaping logic is bypassed by specially crafted prompt payloads. - [COMMAND_EXECUTION]: The skill instructions mandate that the bridge script must always be executed with
run_in_background: true. This persistent background execution reduces the user's ability to monitor or audit the commands and file system changes being performed by the delegated Codex agent in real-time.
Recommendations
- AI detected serious security threats
Audit Metadata