run-batch-codex-research
Pass
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is designed to process untrusted external data from sources such as
inputs.txt,urls.txt, or CSV files, which creates an indirect prompt injection surface. - Ingestion points: Untrusted data enters the context via the input resolution process described in Step 1, where it reads from files or pasted lists.
- Boundary markers: The skill uses a structured work directory layout to separate frozen templates (
template.md), rendered prompts (prompts/), and final answers (answers/), creating clear boundaries between stages of execution. - Capability inventory: The skill has the capability to execute external binaries on the system path (e.g.,
codex,claude,gemini,ollama) and perform file system writes and renames (Step 5). - Sanitization: The skill explicitly mitigates command injection risks by mandating in-process prompt rendering (Rule 3) and forbidding shell string concatenation for input interpolation (Step 3).
- [COMMAND_EXECUTION]: The skill provides templates for executing system commands and managing a pool of worker processes.
- Evidence: The skill defines shell command shapes using
timeout,xargs, and redirection patterns for managing LLM CLI execution and log capture (Step 4, Step 5, and Single-CLI command shape).
Audit Metadata