run-codex-review

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill explicitly fetches and aggregates public PR review streams (codex-rescue, Copilot, Greptile, Devin, cubic-dev-ai, and human comments) via scripts/Monitors/await-pr-reviews.py and GitHub gh api in Phase 6, and the Phase 7 Evaluator sub-agent reads and interprets those untrusted, user-generated review comments to decide accepted/rejected/ambiguous items that directly drive Phase 8 apply/merge actions—so third-party content can materially influence agent behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill explicitly discovers and executes the codex plugin helper (codex-companion.mjs) at runtime—via scripts/run-codex-review.py and scripts/trigger-codex-rescue.py—which is sourced from the OpenAI Codex plugin repository (https://github.com/openai/codex-plugin-cc) and therefore represents an external code artifact that is executed at runtime and directly controls prompts/behavior.