OpenAI Codex Sub Agents

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Codex CLI integration, but it can let the agent run a local coding tool that edits files, executes commands, and uses your Codex/OpenAI authentication.

Install this only if you want Clawdbot to delegate coding work to Codex CLI. Use specific project directories, avoid `--full-auto`, `danger-full-access`, or `--yolo` on untrusted code, and review Codex auth syncing, MCP servers, and session storage before enabling it.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

ASI02: Tool Misuse and Exploitation

Medium

What this means

Codex may modify project files and run commands in the selected workspace as part of a coding task.

Why it was flagged

The skill documents a workflow where Clawdbot invokes Codex CLI with `--full-auto`, allowing automated workspace edits and command execution for coding tasks.

Skill content

exec codex exec --full-auto --cd ~/projects/medreport "fix TypeScript errors in src/components"

Recommendation

Use this only on trusted repositories, set `--cd` to a specific project, and prefer read-only or approval-based modes for unfamiliar code.

ASI03: Identity and Privilege Abuse

Medium

What this means

Installing or configuring this integration can give Clawdbot access to your Codex/OpenAI-authenticated account context.

Why it was flagged

The integration describes copying Codex OAuth tokens from the local Codex auth file into Clawdbot auth profiles.

Skill content

Clawdbot auto-syncs OAuth tokens from Codex CLI:
- Source: `~/.codex/auth.json`
- Target: `~/.clawdbot/agents/<agentId>/agent/auth-profiles.json`

Recommendation

Only use this with an account and agent configuration you trust; review token storage locations and log out or rotate credentials if access is no longer needed.

ASI04: Agentic Supply Chain Vulnerabilities

Low

What this means

The local behavior depends on the externally installed Codex CLI package and its version.

Why it was flagged

The skill is instruction-only and asks the user to install an external global npm package rather than providing a pinned managed install artifact.

Skill content

npm i -g @openai/codex

Recommendation

Install Codex CLI from the official source, keep it updated intentionally, and consider pinning or reviewing the package version in controlled environments.

ASI07: Insecure Inter-Agent Communication

Low

What this means

Tasks, code context, and results may move between the main agent and the coding subagent.

Why it was flagged

The integration pattern enables a main agent to spawn or communicate with a Codex-backed coding subagent.

Skill content

tools: {
    agentToAgent: {
      enabled: true,
      allow: ["main", "coder"]
    }
  }

Recommendation

Restrict allowed agents and tools to the minimum needed, and avoid sending sensitive repository or credential data to subagents unnecessarily.

ASI06: Memory and Context Poisoning

Low

What this means

Prior prompts, task context, or code-related session state may remain on disk after a task is finished.

Why it was flagged

The Codex CLI keeps session files that can persist coding context and be resumed later.

Skill content

Session Files

Location: `~/.codex/sessions/`

Recommendation

Avoid putting secrets in prompts, and periodically review or clear Codex session files if persistence is not desired.