Trust Assessment
codex received a trust score of 55/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 5 findings: 1 critical, 1 high, 2 medium, and 1 low severity. Key findings include Network egress to untrusted endpoints, Covert behavior / concealment directives, Potential Command Injection via User Input.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.
Last analyzed on February 11, 2026 (commit 458b1186). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings5
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Potential Command Injection via User Input The skill instructs the agent to construct shell commands by piping user-provided input directly into `codex exec` using `echo`. Specifically, `echo "your prompt here" | codex exec ...` and `echo "new prompt" | codex exec resume --last`. If 'your prompt here' or 'new prompt' is taken directly from untrusted user input without proper sanitization or escaping, an attacker could inject arbitrary shell commands (e.g., `hello; rm -rf /`) that would be executed by the underlying system. Implement robust input sanitization and escaping for all user-provided strings before they are incorporated into shell commands. Consider using a safer method for passing input to `codex exec` that avoids direct shell interpretation, or ensure that the `codex` tool itself handles input securely. | LLM | SKILL.md:20 | |
| HIGH | Instruction to use 'danger-full-access' sandbox mode The skill explicitly instructs the agent to use `--sandbox danger-full-access` when 'network or broad access are necessary'. This mode grants the `codex` tool extensive permissions, including network access and full system access, which could be exploited for data exfiltration, system compromise, or other malicious activities if the `codex` tool is compromised or misused. While the guide mentions asking for user permission, the skill's design actively facilitates the use of this highly privileged mode. Re-evaluate the necessity of `danger-full-access` mode. If absolutely required, ensure that its use is strictly conditional, with explicit and informed user consent for each invocation. Implement additional safeguards, such as limiting network access to specific domains or restricting filesystem access to only necessary paths, if the `codex` tool allows for more granular control. Provide clear warnings to the user about the risks associated with this mode. | LLM | SKILL.md:16 | |
| MEDIUM | Network egress to untrusted endpoints HTTP request to raw IP address Review all outbound network calls. Remove connections to webhook collectors, paste sites, and raw IP addresses. Legitimate API calls should use well-known service domains. | Manifest | cli-tool/components/mcps/devtools/figma-dev-mode.json:4 | |
| MEDIUM | Instruction to bypass Git repository checks The skill explicitly states 'Always use --skip-git-repo-check.' and includes this flag in multiple example commands. This instruction bypasses a potential safety mechanism of the `codex` tool, which might otherwise prevent operations on uncommitted changes, dirty repositories, or other unstable Git states. Bypassing such checks could lead to unintended or destructive modifications to the codebase without proper version control safeguards. Remove the instruction to 'Always use --skip-git-repo-check.' and instead advise the agent to use this flag only when explicitly requested by the user and when the implications are fully understood. Encourage the `codex` tool's default safety checks to remain active unless there's a specific, justified reason to bypass them. | LLM | SKILL.md:18 | |
| LOW | Covert behavior / concealment directives Multiple zero-width characters (stealth text) Remove hidden instructions, zero-width characters, and bidirectional overrides. Skill instructions should be fully visible and transparent to users. | Manifest | cli-tool/components/mcps/devtools/jfrog.json:4 |
Scan History
Embed Code
[](https://skillshield.io/report/10108ac06fa3a739)
Powered by SkillShield