Back to skill

Security audit

OpenAI Codex Sub Agents

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent Codex CLI integration, but it gives agents broad automatic coding authority with limited user-control warnings.

Install only if you intentionally want Clawdbot to delegate coding work to Codex CLI. Use trusted repositories, pin `--cd` to the intended project, prefer read-only or approval-gated modes for unfamiliar code, avoid `--yolo` and `danger-full-access` outside disposable environments, and review Codex auth/session storage plus any token sync or feedback logs before enabling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list is extremely broad and overlaps with ordinary software-development requests, which can cause this skill to activate in many contexts where users did not explicitly intend to delegate work to a powerful local coding CLI. Because the skill advertises tooling with filesystem access and potentially wider machine/network access, overbroad routing increases the chance of unintended execution paths and unsafe delegation.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The 'When to Use' section defines activation criteria in very general terms that match a large fraction of normal coding conversations. In the context of a skill that can edit files, run commands, and potentially operate with full access, such broad activation guidance makes accidental or overly aggressive tool use more likely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly recommends `codex exec --full-auto` for coding tasks and labels it suitable for 'trusted repos' without adding any explicit warning that the command can autonomously modify files and execute consequential actions. In the context of an agent integration skill, this is dangerous because users or downstream agents may copy the pattern verbatim, causing unattended code changes or command execution in the wrong repository or on a repo that only appears trusted.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The reference documents a `--yolo` mode that disables approvals and sandboxing while only labeling it as 'dangerous'. In a skill meant to delegate coding work to a CLI subagent, this materially increases the chance that operators invoke an unsafe mode without understanding that it permits unrestricted command execution and file changes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
`codex apply <task_id>` is described as applying a cloud diff locally without warning that it will modify the local working tree. In this skill context, users may treat cloud-generated diffs as trusted and unintentionally overwrite files or introduce malicious or incorrect changes into a repository.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The `/feedback` command says it sends logs to maintainers but does not warn that logs may contain prompts, file paths, command output, or other sensitive context. In an agent-assisted coding workflow, such logs can easily include proprietary code or secrets, creating a privacy and data-exposure risk.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
| `--sandbox, -s` | read-only, workspace-write, danger-full-access | Sandbox policy |
| `--ask-for-approval, -a` | untrusted, on-failure, on-request, never | Approval mode |
| `--full-auto` | boolean | workspace-write + approve on failure |
| `--yolo` | boolean | No approvals or sandbox (dangerous) |
| `--profile, -p` | string | Config profile name |
| `--oss` | boolean | Use local Ollama |
| `--search` | boolean | Enable web search |
Confidence
91% confidence
Finding
No approval

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.