codex-session-manager
Pass
Audited by Gen Agent Trust Hub on Jun 13, 2026
Risk Level: SAFEDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill reads and processes session transcripts in
~/.codex/sessionsand~/.codex/archived_sessions. As noted in the documentation, these logs may contain sensitive information such as API keys, credentials, or private user data accidentally captured during interactions. Accessing these paths is the primary function of the skill.\n- [PROMPT_INJECTION]: The skill parses and summarizes untrusted historical data (Indirect Prompt Injection). This creates a surface where malicious instructions embedded in a past conversation could influence the agent during processing.\n - Ingestion points: Reads
.jsonlfiles from the~/.codexdirectory structure.\n - Boundary markers: Uses Markdown headers and code blocks to structure output, but lacks specific instructions to the agent to ignore instructions found within the data.\n
- Capability inventory: Performs local file system reads and writes to
~/.codex/session-markdown; no network or arbitrary command execution detected.\n - Sanitization: Uses standard JSON parsing and sanitizes input used for file names.
Audit Metadata