Trust Assessment
codex-orchestration received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 1 critical, 1 high, 2 medium, and 0 low severity. Key findings include Arbitrary Command Execution via exec_command and codex exec, Potential Data Exfiltration via Command Injection and File Writes, Excessive Permissions Assumed for Agent Execution.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 41/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Arbitrary Command Execution via exec_command and codex exec The skill explicitly instructs the agent to use `exec_command` and `codex exec` for running background PTY terminals and sub-agents. These tools allow for arbitrary command execution. If untrusted input is incorporated into the commands executed by `exec_command` or `codex exec` (e.g., through the `TASK: <what to do>` placeholder in worker prompts), it creates a severe command injection vulnerability. A malicious actor could execute arbitrary shell commands on the host system. Implement robust input sanitization and validation for any user-provided input that might be passed to `exec_command` or `codex exec`. Consider sandboxing the execution environment (e.g., Docker, gVisor) and applying strict least-privilege principles to limit the capabilities of executed commands. Avoid direct interpolation of untrusted strings into shell commands. | LLM | SKILL.md:55 | |
| HIGH | Potential Data Exfiltration via Command Injection and File Writes Given the capability for arbitrary command execution through `exec_command` and `codex exec`, data exfiltration is a direct and high-risk consequence. A malicious command could read sensitive files (e.g., `/etc/passwd`, API keys) and transmit them to an external server. Additionally, the skill instructs workers to write output to files (e.g., `/tmp/w1.txt`) using `--output-last-message`. If sensitive data is inadvertently written to these files, or if the file path itself is manipulated by a malicious prompt, it could lead to data exposure. In addition to sanitizing inputs for command execution, restrict file system access for executed commands to only necessary directories. Ensure that temporary files are securely handled, deleted promptly, and that sensitive data is never written to world-readable or easily accessible locations. Implement network egress filtering to prevent unauthorized data transmission. | LLM | SKILL.md:89 | |
| MEDIUM | Excessive Permissions Assumed for Agent Execution The skill's 'Default assumptions' explicitly state 'YOLO config (no approvals); web search enabled.' and relies on 'PTY execution available via `exec_command` and `write_stdin`.' This indicates that the skill is designed to operate within an environment that grants broad system access and network capabilities to the agent. While the skill itself doesn't grant these permissions, it assumes and instructs their use, which, when combined with the potential for command injection, creates a high-risk scenario where an exploited agent could cause significant damage or exfiltrate data without approval mechanisms. Review and enforce the principle of least privilege for the agent's execution environment. Implement strict access controls, sandboxing, and approval workflows for sensitive operations. Disable or restrict `web search` and `exec_command` capabilities unless absolutely necessary and with appropriate safeguards. | LLM | SKILL.md:20 | |
| MEDIUM | Prompt Injection Vulnerability in Worker Agent Prompts The skill provides templates for constructing worker prompts, such as the 'Minimal worker command (example)' which includes a `TASK: <what to do>` placeholder. If the orchestrator agent, following this skill, incorporates untrusted user input directly into this `TASK` field without proper sanitization or validation, a malicious user could inject instructions that override the worker agent's predefined `ROLE` or `RULES`. This could lead to the worker performing unintended actions, disclosing information, or assisting in further exploitation. Instruct the orchestrator agent to rigorously sanitize and validate any user-provided input before incorporating it into worker prompts, especially for free-form fields like `TASK`. Consider using structured input for tasks where possible, or employing techniques like prompt separators and explicit instruction reinforcement to mitigate injection risks. | LLM | SKILL.md:159 |
Scan History
Embed Code
[](https://skillshield.io/report/9dddabfa61e183fb)
Powered by SkillShield