codex-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The helper script and SKILL.md explicitly fetch and use remote GitHub PR/branch data (gh pr view and git fetch origin) and then run codex review on that fetched branch, meaning the agent ingests user-generated repository/PR content from GitHub as part of its review workflow.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). This skill runs git fetch origin at runtime (i.e., the repository URL configured as "origin", e.g. git@github.com:org/repo.git or https://github.com/org/repo.git), which pulls remote repository content that is then used as the input/context for the Codex review process and therefore can directly influence model prompts/outputs.