Skills
skills/yigitkonur/skills-by-yigitkonur/run-codex-exec/Gen Agent Trust Hub

run-codex-exec

Warn

Audited by Gen Agent Trust Hub on May 10, 2026

Risk Level: MEDIUMPROMPT_INJECTIONDATA_EXFILTRATIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [PROMPT_INJECTION]: The skill's SKILL.md and references/prompt-template.md promote a prompt prefix that instructs the AI to "SKIP ALL META-SKILLS", "DO NOT READ SKILL FILES", and "DO NOT WRITE PLANNING DOCS". This is an intentional override designed to bypass instructions or constraints from other installed AI agent skills to ensure the agent focuses solely on code generation.
  • [DATA_EXFILTRATION]: In scripts/setup-worktree.sh, the skill automatically symlinks the project's .env.local file into every newly created worktree. This action exposes potentially sensitive environment variables and credentials to the codex exec sub-agent. Since the agent operates in a workspace-write sandbox (via the --full-auto flag), it has the permission to execute shell commands and modify files, which increases the risk of credential exposure if the agent is influenced by malicious data.
  • [COMMAND_EXECUTION]: The scripts/codex-wrapper.sh script dynamically determines and executes shell commands for post-commit verification (POST_VERIFY_CMD and POST_VERIFY_TESTS). These commands are inferred from the project's file structure (e.g., executing npx tsc if tsconfig.json is found or cargo check for Cargo.toml). An attacker could potentially manipulate which commands are executed by altering the project's configuration files.
  • [REMOTE_CODE_EXECUTION]: The core functionality of the skill is to wrap codex exec, which executes AI-generated code on the local machine. The wrapper utilizes the --full-auto flag, granting the agent broad permissions to perform file edits and run shell commands within the workspace, inherently trusting the safety of the LLM-generated output.
  • [PROMPT_INJECTION]: The skill presents a surface for Indirect Prompt Injection.
  • Ingestion points: Sub-agents process project files (source code, configuration, and documentation) within the git worktrees.
  • Boundary markers: The skill lacks explicit boundary markers or instructions to the sub-agent to ignore potential instructions embedded within the files it reads.
  • Capability inventory: Sub-agents have significant capabilities, including file modification and shell command execution within the workspace sandbox.
  • Sanitization: No validation or sanitization is performed on the content of the files processed by the sub-agents.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 10, 2026, 03:49 PM