codex-cli
Warn
Audited by Gen Agent Trust Hub on Apr 7, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill documents the use of flags like '--full-auto', '--add-dir', and '-C' which allow for automated file system modifications and directory access control.
- [REMOTE_CODE_EXECUTION]: The 'codex' tool is described as an agent that can 'read, edit, and run code locally.' The instructions explicitly promote using '-a never' (skipping approvals) and '-s danger-full-access', enabling the execution of AI-generated code without human oversight.
- [EXTERNAL_DOWNLOADS]: The instructions include a global installation command for an npm package (@openai/codex) from a well-known organization.
- [PROMPT_INJECTION]: The skill defines patterns that ingest untrusted data from the workspace (e.g., processing 'TODO.md'). 1. Ingestion points: Local files and directories specified via the '-C' and '--add-dir' flags. 2. Boundary markers: None identified in the provided patterns. 3. Capability inventory: The tool can perform file system writes and execute arbitrary code. 4. Sanitization: No sanitization or validation of the input file content is mentioned.
Audit Metadata