codex-review
Warn
Audited by Gen Agent Trust Hub on May 16, 2026
Risk Level: MEDIUMCOMMAND_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The helper script
scripts/codex-reviewusesbash -lc "$parallel_tests"to execute a command string provided as an argument. This pattern functions similarly toevaland can be exploited for arbitrary command execution if the agent populates the--parallel-testsargument using untrusted data, such as a malicious test command suggested in a pull request description or comment. - [COMMAND_EXECUTION]: The helper script allows specifying the path to the Codex binary via the
--codex-binargument. This enables the execution of an arbitrary binary if the agent is directed to use a non-standard path.
Audit Metadata