consult-codex
Pass
Audited by Gen Agent Trust Hub on May 11, 2026
Risk Level: SAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill uses the bash tool to invoke the codex CLI for executing queries and resuming sessions. The instructions explicitly require the use of dangerouslyDisableSandbox: true for these calls to allow network communication.\n- [DATA_EXFILTRATION]: The skill reads workspace files and transmits their content to the OpenAI API (via the Codex CLI) to provide context for AI-driven assistance. While this targets a well-known service, it involves the outbound transfer of local file data.\n- [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface by ingesting untrusted data from the workspace and interpolating it into queries for an external LLM.\n
- Ingestion points: Step 1 involves identifying and reading 2-5 workspace files as context for the question.\n
- Boundary markers: The instructions recommend using XML tags (e.g., , <grounding_rules>) to structure the prompt, which provides logical separation but does not prevent instruction override by adversarial content within the files.\n
- Capability inventory: The skill uses bash to run codex, which can be configured with workspace-write permissions to execute code, and it bypasses sandbox restrictions for network access.\n
- Sanitization: No explicit sanitization or filtering of the ingested file content is performed before it is passed to the CLI tool.
Audit Metadata