The Agent Skills Directory

[COMMAND_EXECUTION]: The skill's core configuration in scripts/codex-flags.sh enforces the --dangerously-bypass-approvals-and-sandbox flag for all managed operations. This removes the security sandbox of the orchestrated tool, granting the autonomous agent full filesystem access and unrestricted network egress as documented in references/universal/codex-flags.md.
[DATA_EXFILTRATION]: In scripts/setup-worktree.sh, the skill automatically symlinks .env.local (and other environment files specified by the LINK_ENV_FILE variable) from the primary repository into isolated worktrees. This exposes sensitive development credentials and secrets to the autonomous agents and any commands they execute.
[REMOTE_CODE_EXECUTION]: The run-fleet.sh script (and its associated documentation in run-fleet.md) implements an automatic 'post-verify' mechanism that detects and executes shell commands such as pnpm test, cargo check, or go vet based on files present in the repository. A malicious repository could exploit this to trigger arbitrary code execution during the automated fleet run.
[PROMPT_INJECTION]: The skill uses a 'SUBAGENT-STOP' instruction prefix in its templates (found in references/templates/exec.tmpl.md and references/templates/review.tmpl.md) designed to override the backend model's internal meta-skills and planning protocols. While intended for performance, this constitutes a deliberate bypass of the managed model's standard operational guidelines.
[DATA_EXFILTRATION]: By enabling unrestricted network egress via the sandbox bypass, the skill creates a path for potentially sensitive repository data or environment secrets to be sent to external endpoints during task execution.
[COMMAND_EXECUTION]: The dispatcher in scripts/run-codex-1.mjs uses child_process.spawn with detached: true to run its background workers. While functional for orchestration, this pattern reduces oversight of the commands being executed in the background.

run-codex-1