collaborating-with-codex

Fail

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: HIGHCOMMAND_EXECUTION
Full Analysis
  • [COMMAND_EXECUTION]: The bridge script scripts/codex_bridge.py executes the codex binary using subprocess.Popen to perform arbitrary tasks defined in the --PROMPT argument provided by the agent.
  • [COMMAND_EXECUTION]: The skill explicitly disables safe sandboxing options. Both the SKILL.md instructions and the scripts/codex_bridge.py logic reject the read-only sandbox level, defaulting instead to danger-full-access.
  • [COMMAND_EXECUTION]: The script implements an automatic downgrade mechanism in probe_bwrap_sandbox that reverts to danger-full-access if the bwrap (bubblewrap) utility cannot initialize correctly, which is a common occurrence in restricted environments like WSL, Docker, or specific Linux distributions (Ubuntu 24.04+).
  • [COMMAND_EXECUTION]: On Windows platforms, the script wraps commands in cmd.exe /c and uses custom character escaping for the prompt text. This implementation introduces a potential command injection surface if the escaping logic is bypassed by specially crafted prompt payloads.
  • [COMMAND_EXECUTION]: The skill instructions mandate that the bridge script must always be executed with run_in_background: true. This persistent background execution reduces the user's ability to monitor or audit the commands and file system changes being performed by the delegated Codex agent in real-time.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 13, 2026, 05:55 PM
Security Audit — agent-trust-hub — collaborating-with-codex