Security audit

Codex CLI Guardian

Security checks across malware telemetry and agentic risk

Overview

This skill is a real Codex task runner, but it needs Review because it stores credentials locally and can launch high-impact background code execution with weak scoping and a confirmed shell-command construction flaw.

Review carefully before installing. Use only in a disposable or tightly scoped workspace, do not enter a valuable API key until secret input and storage are fixed, remove bundled task history, avoid broad natural-language auto-triggers, and replace the `bash -c` invocation with safe argument passing before using it on real projects.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (23)

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The examples portray the skill as initiating and completing substantive Codex development tasks such as writing crawlers, refactoring projects, and running builds, which goes beyond a narrowly described 'guardian/management' role. This scope expansion can mislead users and downstream agents into granting broader authority than expected, increasing the chance of unreviewed code execution or project modification.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The skill is presented as session/infrastructure management, but this section documents a trigger flow that turns ordinary user prompts about coding into executable Codex tasks. That is a scope-expansion issue: users or orchestrators may enable it for administrative purposes while it can also generate and run development actions.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The document says the skill is not a coding-agent replacement, but elsewhere it accepts coding requests and routes them to Codex for execution. This contradiction can mislead reviewers and policy systems about the real behavior and reduce scrutiny of code-execution pathways.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The wrapper invokes `codex --full-auto exec`, which grants the downstream agent broad autonomy to act on the provided task in the working directory. In a 'guardian' skill, this meaningfully increases risk because untrusted task text can trigger code changes or command execution beyond a narrow mediation role, and the script provides no policy checks or confirmation gate before launching it.

Intent-Code Divergence

Medium

Confidence: 99% confidence
Finding: The script tells the user the API key input will not be shown, but uses `read -p` without `-s`, so terminal echo remains enabled and the secret is displayed as typed. This can expose the key to shoulder surfing, screen recording, terminal logging, or shared-session observation.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The help text advertises very broad natural-language triggers like '帮我写一个爬虫' or '帮我重构这段代码', which overlap with ordinary conversation and can cause accidental invocation of Codex-backed actions. In an agent setting, ambiguous triggers increase the risk that routine chat is interpreted as authorization to perform code changes or task execution.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The examples describe Codex creating files, refactoring modules, and running builds/tests without warning users that these actions can change project state, consume resources, or execute impactful operations. Omitting these warnings undermines informed consent and makes unsafe use more likely, especially for users who may assume the tool is advisory only.

Missing User Warnings

High

Confidence: 99% confidence
Finding: The setup example visibly displays the API key during input, validation, and save confirmation, normalizing unsafe credential handling and exposing a secret directly in conversational output. In practice, chat logs, screenshots, terminal scrollback, or shared sessions could leak the key and enable unauthorized API use.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The example trigger phrases are generic software-development requests that many users might say in ordinary conversation, which can cause the skill to activate in situations where the user did not explicitly intend to invoke this privileged wrapper. In this skill’s context, unintended activation is more dangerous because it can launch Codex tasks in the background, manage API keys, and execute work on the user’s behalf.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Using the broad keyword '开发' as a trigger means normal discussion about development work may be interpreted as authorization to enter an execution-confirmation flow. In a shell-capable skill, overbroad natural-language triggers materially increase the risk of unintended task initiation.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The keyword '脚本' is common in ordinary conversation and can collide with requests that are exploratory or descriptive rather than commands. Because this skill can launch background shell-driven workflows, accidental trigger matching can produce unintended execution paths.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The keyword '程序' is extremely broad and likely to appear in benign discussion, making false activations plausible. In context, this is more dangerous because activation can lead to launching a background Codex process rather than a harmless UI response.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: Single-word confirmations like '是', '好', or '执行' are highly ambiguous in normal conversation and can easily be misbound to a previously detected trigger. Since confirmation leads to actual task execution through shell scripts and background processes, this creates a realistic unintended-execution risk.

Vague Triggers

High

Confidence: 97% confidence
Finding: The trigger '终止任务' performs a destructive action immediately and is phrased as a natural-language sentence that could appear in discussion or quoted text. Because it maps directly to process termination, an accidental or adversarially induced phrase could stop legitimate work without user intent.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script injects `OPENAI_API_KEY_0011AI` directly into the child process environment, exposing a sensitive credential to the invoked tool and potentially to process inspection, logs, crash reports, or any subprocesses it spawns. Because the tool is launched in autonomous mode, this also broadens the chance of unintended credential use or exfiltration.

Missing User Warnings

Low

Confidence: 95% confidence
Finding: The script injects `OPENAI_API_KEY_0011AI` directly into the child process environment, exposing a sensitive credential to the invoked tool and potentially to process inspection, logs, crash reports, or any subprocesses it spawns. Because the tool is launched in autonomous mode, this also broadens the chance of unintended credential use or exfiltration.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: Sensitive credential entry is performed with visible terminal echo, which directly leaks the API key to anyone who can observe the terminal or capture its contents. Because this is an API credential, disclosure can lead to unauthorized API usage, cost abuse, and access under the user's identity.

Ssd 3

High

Confidence: 99% confidence
Finding: The example directly repeats the user's supplied API key in plain text and models a workflow where secrets are exposed at the natural-language layer. This is especially dangerous because users and implementers may copy the pattern into real deployments, causing credential leakage through logs, transcripts, support tickets, or collaboration tools.

Credential Access

High

Category: Privilege Escalation
Content: │ ├── codex-call.sh # 主调用脚本（后台 + PTY） │ └── session.sh # 状态管理 / kill ├── scripts/ │ └── init-setup.sh # API Key 验证 + 写入 credentials.env ├── state/ │ ├── current-task.json # 运行中任务 │ ├── tasks/ # 任务历史
Confidence: 96% confidence
Finding: credentials.env

Credential Access

High

Category: Privilege Escalation
Content: ## 2. API Key 管理 **存储文件**：`credentials.env`（skill 目录内） **格式**：`OPENAI_API_KEY_0011AI=<key>` **权限**：600
Confidence: 98% confidence
Finding: credentials.env

Credential Access

High

Category: Privilege Escalation
Content: 1. 检测已有 key → 询问是否重设 2. 获取 Key（环境变量优先，否则要求用户输入） 3. **验证 Key**：实际调用 `codex --full-auto exec "echo ok"` 4. 验证成功 → 写入 `credentials.env`（权限 600）；验证失败 → 回到 STEP 2 **运行时**：codex-call.sh 从 skill 目录内的 `credentials.env` 读取 Key
Confidence: 97% confidence
Finding: credentials.env

Credential Access

High

Category: Privilege Escalation
Content: 3. **验证 Key**：实际调用 `codex --full-auto exec "echo ok"` 4. 验证成功 → 写入 `credentials.env`（权限 600）；验证失败 → 回到 STEP 2 **运行时**：codex-call.sh 从 skill 目录内的 `credentials.env` 读取 Key ---
Confidence: 97% confidence
Finding: credentials.env

Credential Access

High

Category: Privilege Escalation
Content: │ ├── codex-call.sh # 主调用脚本（后台 + PTY） │ └── session.sh # 状态管理 / kill ├── scripts/ │ └── init-setup.sh # API Key 验证 + 写入 credentials.env ├── state/ │ ├── current-task.json # 运行中任务 │ ├── tasks/ # 任务历史
Confidence: 96% confidence
Finding: .env

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal