codex-exec
Pass
Audited by Gen Agent Trust Hub on Jul 7, 2026
Risk Level: SAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill is designed to invoke the
codexCLI via bash. It documents high-privilege sandbox modes such asdanger-full-accessand the--dangerously-bypass-approvals-and-sandboxflag, which allows the sub-agent to perform actions without user confirmation or environment restrictions. - [EXTERNAL_DOWNLOADS]: The skill references the installation of the
@openai/codexpackage from the npm registry. This is an official package from a well-known service. - [PROMPT_INJECTION]: The skill facilitates the processing of arbitrary user instructions by interpolating them into shell commands. This creates an attack surface for indirect prompt injection.
- Ingestion points: The
<task>placeholder and standard input incodex execcommands are populated by user-controlled text. - Boundary markers: No explicit delimiters or instructions to ignore embedded commands are present in the command templates.
- Capability inventory: The skill utilizes the Bash tool for command execution, allowing for file system access and system modification depending on the chosen sandbox mode.
- Sanitization: No sanitization or validation of the user-provided prompt is performed before it is passed to the execution environment.
Audit Metadata