codex-orchestrator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly enables web search (both "Exa web search" and native Codex web search) in SKILL.md and scripts/codex-exec.sh (flags --web-search / --search and passing -c 'web_search="live"'), and codex-exec.sh can inject external search guidance into AGENTS.md (cat "$AGENTS_FILE" "$EXA_GUIDE" > "$WORK_DIR/AGENTS.md"), so the agent will read and act on open/public web content which can materially influence its actions (including write-capable operations via --full-auto).

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill runs codex-version-check.sh --auto-update at startup which can run npm update -g @openai/codex, fetching and installing the remote Codex CLI package (https://www.npmjs.com/package/@openai/codex) at runtime—this fetches and executes remote code and the skill requires the Codex CLI to operate.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.60). The skill does not explicitly instruct creating users or editing system service/SSH files, but it includes global installs (npm -g), an auto-update mechanism, a "danger-full-access" sandbox and a "--full-auto" mode that together enable automated, unrestricted system modifications and potential privilege-requiring actions.