codex-exec
Warn
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is a wrapper for the
codexCLI, designed for autonomous task execution. It encourages the use of high-risk flags such as--full-auto, which allows the tool to modify files without user confirmation, and--sandbox danger-full-access, which enables system-level operations. - [DATA_EXFILTRATION]: The documentation states that all tool invocations require
dangerouslyDisableSandbox: true. This parameter disables the agent's security sandbox to allow network access (primarily for the OpenAI API), which could be leveraged to exfiltrate data from the local environment. - [EXTERNAL_DOWNLOADS]: Under the
danger-full-accesspermission level, the skill documentation explicitly mentions "Installing packages" as a capability, which entails downloading and running third-party software. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting external content and processing it through an autonomous execution engine.
- Ingestion points: Untrusted data enters the agent context through prompt arguments or stdin pipes as described in
SKILL.md. - Boundary markers: The instructions do not specify the use of delimiters or boundary markers to isolate untrusted data from the sub-agent's core instructions.
- Capability inventory: The tool allows for file system writes, system operations, package installation, and network access.
- Sanitization: No sanitization or validation of the input content is implemented before it is passed to the execution CLI.
Audit Metadata