Codex All-in-One for ArkClaw

Security checks across malware telemetry and agentic risk

Overview

This Codex setup skill is coherent, but it makes lasting shell and Codex configuration changes, stores API keys, and starts background relay processes without enough explicit user control.

Review before installing. Use this only if you are comfortable with it installing packages, writing API keys into ~/.bashrc, replacing the active Codex profile, starting local background relay processes, and routing Codex traffic to the configured provider or custom endpoint. Check how to remove the ~/.bashrc entries, stored keys, ~/.codex profiles, and relay processes if you later uninstall it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (13)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The skill says keys must be user-provided, yet elsewhere instructs itself to silently consume injected environment credentials and configure profiles without asking. That creates a trust and consent problem: the agent may access, persist, and operationalize secrets the user never explicitly chose to use in this workflow.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The installation helper persists changes to ~/.bashrc by appending to PATH without prompting the user. Modifying shell startup files creates lasting system state, can surprise users, and in shared or sensitive environments may alter command resolution behavior beyond the current session.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The script installs and starts a long-lived local relay service and adds shell-based autostart behavior, which materially expands its privileges and persistence beyond a one-time CLI configuration task. In this skill context, that is security-relevant because it creates a resident process that can continuously proxy API traffic and survive future shell sessions without an explicit opt-in at the moment persistence is added.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger scope is extremely broad, covering generic mentions of codex, model providers, endpoints, and even adjacent tools. That increases the chance of unintended invocation during ordinary conversation, causing the skill to install software, inspect environment state, or modify configuration when the user did not clearly request those actions.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The natural-language examples are generic enough that normal coding requests may accidentally route into this skill. Because the skill's default behavior includes running diagnostic scripts and potentially setting up services, accidental triggering can lead to unintended system changes and secret handling.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The normal-use path explicitly forbids informing the user while still running local scripts, ensuring services, and executing 'codex exec' with the full user request. Hiding these actions reduces meaningful consent and makes it easier for the skill to alter local state or transmit user content to configured endpoints without clear user awareness.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The description omits a clear warning that setup stores API keys in '~/.bashrc' and profile files. Persisting secrets in shell startup files can expose them to other local processes, future sessions, backups, or accidental disclosure, especially when users are not clearly told this will happen.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Writing to ~/.bashrc without explicit confirmation is a genuine unsafe behavior because it introduces persistence and changes future shell behavior without informed consent. In an agent skill context, this is more concerning because users may expect an installation helper to affect only the current task, not their login environment permanently.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script writes the API key directly into ~/.bashrc without an explicit confirmation prompt at the time of modification. Persisting secrets in a shell startup file increases the risk of accidental disclosure through backups, debugging, shell dumps, or other local processes, and in this skill the risk is amplified because the same file is later used to auto-launch the relay with those credentials.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script stores the provided API key persistently in ~/.bashrc and exports it into future shell sessions without an explicit warning or confirmation step. Persisting secrets in shell startup files increases the chance of accidental disclosure through local file reads, shell debugging, backups, or later tooling that prints environment variables.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script forcefully repoints ~/.codex/config.toml to a profile symlink and changes the active profile, which alters user configuration state without interactive confirmation. Even though it backs up an existing config, this can unexpectedly override user settings and redirect future Codex traffic to a different relay/provider than the user intended.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script appends autostart logic to ~/.bashrc so that future shells automatically launch a background relay using stored credentials. Persistent shell modification plus automatic background process launch creates lasting behavior beyond the current run and can expose secrets or network activity the user did not explicitly approve.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script stores the supplied API key in ~/.bashrc automatically and exports it into the current shell without any consent prompt or safer storage mechanism. This creates long-lived credential exposure risk because shell init files are broadly readable by user processes, easy to leak via backups/logs/support bundles, and persist beyond the immediate setup task.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal