Trust Assessment
codex-orchestrator received a trust score of 65/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.
SkillShield's automated analysis identified 4 findings: 2 critical, 1 high, 1 medium, and 0 low severity. Key findings include Command Injection via unsanitized prompt in `bash` command, Command Injection via unsanitized 'task' in direct shell execution, Potential Command Injection via `process action:submit` data.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings4
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | Command Injection via unsanitized prompt in `bash` command The skill's suggested `bash` command directly embeds a user-controlled `<PROMPT>` into its `command` argument. This allows for command injection if `<PROMPT>` contains shell metacharacters (e.g., `;`, `&&`, `|`, `$()`, `` ` ``), leading to arbitrary code execution on the host system. All user-controlled input passed to shell commands must be rigorously sanitized or escaped. For the `<PROMPT>` variable, ensure shell metacharacters are properly escaped or, preferably, use a more controlled execution mechanism that doesn't interpret user input as shell commands. | LLM | SKILL.md:14 | |
| CRITICAL | Command Injection via unsanitized 'task' in direct shell execution The skill suggests a direct shell command `codex exec "task..." > codex.log 2>&1` where `"task..."` is a placeholder for user-provided input. Without proper sanitization, an attacker can inject malicious shell commands by crafting the 'task' input, leading to arbitrary code execution. User-provided input for the 'task' argument must be strictly sanitized or escaped to prevent shell metacharacter interpretation. Avoid directly embedding untrusted input into shell commands; prefer using tool-specific arguments or a sandboxed execution environment. | LLM | SKILL.md:60 | |
| HIGH | Potential Command Injection via `process action:submit` data The `process action:submit` command sends arbitrary `data` to a running background process. If the target process (e.g., an interactive `codex exec` session) interprets its standard input as commands, an attacker could inject malicious commands by crafting the `data` argument. The skill's examples of sending `y` or `\n` indicate interaction with interactive processes, increasing this risk. Validate and sanitize the `data` argument sent via `process action:submit` based on the expected input of the target process. If the target process is a shell or command interpreter, consider if a non-interactive mode or a more secure communication channel is available to prevent input-based command injection. | LLM | SKILL.md:36 | |
| MEDIUM | Excessive Permissions due to arbitrary `workdir` in `bash` command The `bash` command allows specifying an arbitrary `workdir:<target_dir>`. If `<target_dir>` is derived from untrusted input, an attacker could manipulate the working directory to access or modify files outside the skill's intended scope, potentially leading to unauthorized data access or modification. Restrict the `workdir` parameter to a predefined, secure, and isolated directory. If user input is necessary for `workdir`, implement strict validation to prevent path traversal (e.g., `../`) and ensure it points only to allowed locations. | LLM | SKILL.md:14 |
Scan History
Embed Code
[](https://skillshield.io/report/5c899ae64c83589f)
Powered by SkillShield