hetzner-codex-remote
Warn
Audited by Snyk on May 18, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.90). The SKILL.md explicitly fetches and executes untrusted public content (e.g., curl https://tailscale.com/install.sh | sh, git clone https://github.com/nvm-sh/nvm.git, npm install -g @openai/codex@latest, and parsing tailscale status --json/ AuthURL), and the skill reads/interprets those third-party outputs to decide follow-up actions, so it exposes the agent to indirect prompt-injection risk.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill's runtime installs and executes remote code—e.g., it runs git clone https://github.com/nvm-sh/nvm.git on the remote host and then sources/uses that code to install Node (and subsequently runs npm install -g @openai/codex@latest), so these external fetches directly execute remote code the skill depends on.
MEDIUM W013: Attempt to modify system services in skill instructions.
- Attempt to modify system services in skill instructions detected (high risk: 1.00). The skill explicitly instructs creating a new privileged "codex" user, adding a NOPASSWD sudoers file, editing /etc/ssh/sshd_config.d, enabling system services, and changing firewall rules — all privileged modifications that change the machine state and bypass normal protections.
Issues (3)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W013
MEDIUMAttempt to modify system services in skill instructions.
Audit Metadata