The Agent Skills Directory

[COMMAND_EXECUTION]: The skill is designed to run the codex CLI tool with the --dangerously-bypass-approvals-and-sandbox flag enabled. This provides the model with full filesystem write access and unrestricted network egress, allowing it to perform tasks like dependency management and web research without user intervention.
[COMMAND_EXECUTION]: The run-fleet.sh script uses eval to execute post_verify_cmd strings. These commands are either auto-detected from the repository (e.g., pnpm test, cargo check) or supplied via an external tasks.json configuration file, creating a vector for arbitrary command execution if the task definition is compromised.
[COMMAND_EXECUTION]: Multiple scripts (setup-worktree.sh, run-fleet.sh, run-batch.sh) execute system-level commands and development binaries including git, npx, pnpm, npm, cargo, and go based on the content of the target repository.
[PROMPT_INJECTION]: Prompt templates provided in the references/templates/ directory contain instructions such as "SKIP ALL META-SKILLS", "DO NOT READ SKILL FILES", and "DO NOT ASK QUESTIONS". These are designed to override default AI agent behaviors to optimize for sub-agent performance and token usage.
[DATA_EXFILTRATION]: While no explicit exfiltration commands were detected, the inherent bypass of sandbox approvals combined with the model's ability to execute network tools creates a significant surface for data exfiltration from the local environment.

run-codex-2