The Agent Skills Directory

[PROMPT_INJECTION]: Behavioral override patterns are embedded in scripts/render-task-prompts.sh and references/templates/exec.tmpl.md via a SUBAGENT-STOP prefix. This instruction explicitly directs the AI to "SKIP ALL META-SKILLS", "DO NOT WRITE PLANNING DOCS", and "DO NOT ASK QUESTIONS", effectively suppressing the AI's default safety guidelines and operational protocols to ensure immediate task execution.
[COMMAND_EXECUTION]: The skill hardcodes the --dangerously-bypass-approvals-and-sandbox flag in scripts/codex-flags.sh. This configuration removes the primary security boundaries of the Codex CLI, granting the agent full filesystem write permissions and unrestricted network egress without user confirmation. While this is the intended purpose of the orchestration tool, it enables a high-risk operational mode where the AI can execute arbitrary system commands.
[COMMAND_EXECUTION]: The scripts/run-fleet.sh script uses the eval command to run logic stored in the mode_state.post_verify_cmd variable. Because these verification commands can be sourced from external configuration files (tasks.json) or influenced by previous AI outputs, this represents a significant vector for arbitrary code execution on the host system.
[DATA_EXFILTRATION]: By enforcing the sandbox bypass, the skill permits the AI to perform network operations to any domain. This capability creates a potential path for data exfiltration if the agent is directed to send sensitive repository information or environment variables to a non-whitelisted external endpoint.
[SAFE]: The skill includes a vendored copy of the codex-cc libraries from the openai organization. As openai is a trusted organization, this external logic is considered safe for use within the framework.

orchestrate-codex