Trust Assessment
codex-cli received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 3 findings: 2 critical, 1 high, 0 medium, and 0 low severity. Key findings include Skill configures `codex-cli` backend with auto-approved write access, Skill enables `codex-cli` as a backend with arbitrary command execution capabilities, Subagent configured with broad tool execution permissions.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 25/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings3
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Skill configures `codex-cli` backend with auto-approved write access The skill's `Pattern 3: CLI Backend Fallback` configuration explicitly instructs Clawdbot to run `codex` with the `--full-auto` flag. This flag allows `codex` to "Auto-approve workspace writes," granting it broad write permissions to the filesystem without requiring explicit user approval for each operation. This significantly increases the risk of unintended or malicious modifications to the codebase if the `codex` agent is compromised or misinterprets instructions. Remove `--full-auto` from the `args` array in the `cliBackends` configuration. Instead, rely on `codex`'s default approval mechanisms or use more granular approval modes. If auto-approval is strictly necessary, ensure robust input sanitization and strict sandboxing for the `codex` process. | LLM | SKILL.md:155 | |
| CRITICAL | Skill enables `codex-cli` as a backend with arbitrary command execution capabilities The skill integrates `codex-cli`, an AI agent designed to generate and execute commands, including shell commands, on the local machine. The `Pattern 3: CLI Backend Fallback` explicitly configures Clawdbot to invoke `codex exec` with `--full-auto`. This setup, combined with `codex`'s inherent ability to interpret natural language prompts and execute corresponding commands, creates a direct path for command injection. A malicious prompt provided to the host LLM, which is then delegated to `codex`, could lead to the generation and execution of arbitrary shell commands on the system without user intervention, posing a severe security risk. Implement strict input sanitization and validation for all prompts passed to `codex-cli`. Avoid using `--full-auto` or `--sandbox danger-full-access` in production environments. Prefer `Read Only` or default approval modes. Ensure `codex-cli` runs in a highly restricted sandbox environment with minimal necessary permissions. | LLM | SKILL.md:155 | |
| HIGH | Subagent configured with broad tool execution permissions The skill's `Pattern 2: Subagent Delegation` configures a subagent named "coder" with an extensive list of allowed tools, including `exec`, `read`, `write`, `edit`, `apply_patch`, and `process`. Granting `exec` and `write` permissions to an AI subagent without strict controls significantly increases the attack surface. If this subagent is compromised or misinterprets instructions, it could perform arbitrary file modifications or execute malicious commands on the system. Review and restrict the `allow` list for subagents to the absolute minimum required tools. Implement granular permissions where possible, and ensure any `exec` or `write` operations are subject to human approval or strict sandboxing. | LLM | SKILL.md:141 |
Scan History
Embed Code
[](https://skillshield.io/report/a7c35a723276e4b4)
Powered by SkillShield