codex-session-manager

Pass

Audited by Gen Agent Trust Hub on Jun 13, 2026

Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill reads and processes session transcripts in ~/.codex/sessions and ~/.codex/archived_sessions. As noted in the documentation, these logs may contain sensitive information such as API keys, credentials, or private user data accidentally captured during interactions. Accessing these paths is the primary function of the skill.\n- [PROMPT_INJECTION]: The skill parses and summarizes untrusted historical data (Indirect Prompt Injection). This creates a surface where malicious instructions embedded in a past conversation could influence the agent during processing.\n
  • Ingestion points: Reads .jsonl files from the ~/.codex directory structure.\n
  • Boundary markers: Uses Markdown headers and code blocks to structure output, but lacks specific instructions to the agent to ignore instructions found within the data.\n
  • Capability inventory: Performs local file system reads and writes to ~/.codex/session-markdown; no network or arbitrary command execution detected.\n
  • Sanitization: Uses standard JSON parsing and sanitizes input used for file names.
Audit Metadata
Risk Level
SAFE
Analyzed
Jun 13, 2026, 12:06 PM
Security Audit — agent-trust-hub — codex-session-manager