codex-orchestrator
Pass
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill includes an auto-update mechanism in 'scripts/codex-version-check.sh' that checks for and installs the latest version of the '@openai/codex' package from the official NPM registry during initialization.
- [COMMAND_EXECUTION]: Orchestration scripts ('scripts/codex-exec.sh' and 'scripts/codex-session.py') execute the 'codex' CLI as a subprocess to perform developer tasks. These scripts safely manage arguments as arrays and utilize Python's subprocess.run() without the 'shell=True' parameter.
- [SAFE]: No malicious patterns such as data exfiltration, hardcoded credentials, or obfuscated code were detected. The skill's behavior is consistent with its stated purpose of delegating tasks to a specialized CLI tool.
- [INDIRECT_PROMPT_INJECTION]: The skill's primary function is to process user prompts and codebase content through the Codex CLI. It uses detailed persona profiles ('agents/*.md') to establish behavioral boundaries (e.g., 'Ask first', 'Never do'). While this creates an attack surface for indirect prompt injection from codebase content, the orchestrator includes a dedicated 'researcher' profile with a read-only sandbox and ephemeral session flags to mitigate risk during analysis.
Audit Metadata