codex
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- COMMAND_EXECUTION (LOW): The skill is designed to execute the
codexcommand-line tool with natural language instructions. While it supports aread-onlysandbox, it also usesworkspace-writeand--full-auto, allowing the tool to autonomously modify files in the user's workspace. - PROMPT_INJECTION (LOW): Category 8: Indirect Prompt Injection. The skill is highly susceptible to indirect injection because its primary function is to analyze and refactor existing codebases.
- Ingestion points: Any source file or documentation in the local workspace being processed (e.g.,
UserService.kt). - Boundary markers: Absent. The instructions are passed as raw strings to the CLI.
- Capability inventory: The skill can read all project files and write changes back to the filesystem when using the
workspace-writesandbox. - Sanitization: None. The skill does not sanitize or validate the content of the files it analyzes before processing them with the AI model.
- COMMAND_EXECUTION (LOW): The execution protocol mandates the use of
--skip-git-repo-check, which explicitly bypasses a safety feature of the Codex tool. Additionally, the systematic use of2>/dev/nullto suppress standard error hides potentially critical warnings or security-related error messages from the user.
Audit Metadata