Codex Agent Enhanced

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Codex automation tool, but it can persistently run hooks and send Codex outputs to Telegram, with risky default routing values.

Install only if you intentionally want OpenClaw to run Codex for you and send Codex completion content to Telegram. Before enabling it, replace all sample chat IDs and bot account names, review the notify hook path in ~/.codex/config.toml, avoid using it on confidential repositories unless notifications are minimized or disabled, and be cautious with the 100-year session-retention and cron options.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (36)

Tainted flow: 'LOG_FILE' from os.environ.get (line 23, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: def log(msg: str) -> None: """写入日志（用于调试）""" try: with open(LOG_FILE, "a", encoding="utf-8") as f: f.write(f"[{datetime.now().strftime('%H:%M:%S')}] {msg}\n") except Exception: pass
Confidence: 81% confidence
Finding: with open(LOG_FILE, "a", encoding="utf-8") as f:

Tainted flow: 'PROJECT_STATE_FILE' from os.environ.get (line 28, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: state["updatedAt"] = now_iso() # 写回文件 with open(PROJECT_STATE_FILE, "w", encoding="utf-8") as f: json.dump(state, f, ensure_ascii=False, indent=2) log(f"project state updated: task={PROJECT_TASK_ID}, status=review_pending")
Confidence: 93% confidence
Finding: with open(PROJECT_STATE_FILE, "w", encoding="utf-8") as f:

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The guide explicitly instructs users to keep OpenClaw session state effectively alive for 100 years by setting an enormous idle timeout. That creates unnecessary long-term retention of conversational context, increasing privacy exposure, cross-task data leakage, and the blast radius if the agent is later misused or compromised.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The README documents broad Telegram notification and forwarding behavior that materially expands the skill's data-flow and external communication scope beyond simply operating Codex CLI. Undisclosed outbound messaging is security-relevant because users may authorize the skill expecting local automation, while the skill also exports task progress and outputs to a chat platform.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: Automatically forwarding Codex's complete replies to Telegram creates an external exfiltration path for source code, secrets, proprietary design details, or user-supplied sensitive data. Because the hook is automatic and tied to task completion, leakage can happen without a contextual per-task review of whether the output is safe to transmit.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The skill uses inconsistent environment variable names: earlier sections rely on OPENCLAW_* names, while the safety/config section references CODEX_AGENT_* names. This inconsistency can cause notifications to be sent to unintended targets, safety checks to fail open, or operators to patch scripts manually with hardcoded defaults, increasing the chance of misrouting sensitive task data.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The installation steps tell the user to modify persistent configuration files such as ~/.codex/config.toml and shell startup files, which changes future behavior of the system beyond the current task. Without explicit warnings, backup guidance, or rollback steps, users may unknowingly grant persistent execution hooks and environment changes that could be abused or cause lasting misconfiguration.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guide recommends an extreme session-retention configuration without clearly warning that it preserves agent context and potentially sensitive conversation history for an effectively indefinite period. This increases privacy risk and may allow unrelated future tasks to inherit stale or sensitive context.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The one-click prompt delegates installation, config edits, permission changes, and validation commands to another agent with little friction or safety framing. That encourages automated modification of the user's environment and execution of commands from a prompt block, which is risky in a security-sensitive setup involving hooks and persistent config.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README states that every step and outputs are synchronized to Telegram, but it does not prominently warn that sensitive code, prompts, logs, or project details may be transmitted to a third-party messaging channel. Missing privacy warnings increase the chance of unintentional disclosure by users who assume the automation remains local.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The notify hook is explicitly configured to send complete Codex replies to Telegram without an accompanying explicit warning or consent boundary in the documented flow. This is dangerous because complete replies can include code diffs, credentials accidentally surfaced during execution, internal paths, or analysis text not intended for external messaging systems.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README explicitly documents that full Codex replies and approval details are sent to Telegram, but it does not present a clear privacy warning, consent model, or data-handling boundary. Because this skill operates on local projects and terminal sessions, those relayed messages can include source code, secrets, file paths, or sensitive command details, creating a real confidentiality risk rather than a purely documentation issue.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The workflow instructs sourcing a project .env file and echoing agent/chat identifiers without any guardrails around secrets, shell injection risk, or accidental log exposure. Because .env files often contain credentials and routing identifiers, this pattern can leak sensitive values to terminal history, logs, screenshots, or downstream tools, and 'source .env' executes arbitrary shell content if the file is tampered with.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The notification workflow sends task data to Telegram, including completion summaries and workflow events, but the skill description does not clearly disclose that external transmission occurs. This creates a privacy and data-governance risk because users may provide proprietary code, prompts, or operational details without realizing that summaries or metadata are routed to a third-party messaging platform.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation recommends storing sensitive values such as Telegram chat identifiers and agent routing/configuration in per-project `.env` files, but it does not instruct users to exclude those files from version control or otherwise protect them. In real projects, `.env` files are commonly committed accidentally, which can expose notification targets, internal agent identifiers, and task/state paths that aid phishing, spam, or operational abuse.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The documentation explicitly tells users to run `source .env`, which executes the file as shell code rather than merely loading key/value pairs. If `.env` is modified maliciously or contains unexpected shell syntax, this can execute arbitrary commands in the user's shell session.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The document recommends an auto-configuration script that generates `.env`, modifies `~/.codex/config.toml`, and may create cron configuration, but does not prominently warn about these side effects. Encouraging users to run such a script without review increases the risk of unintended persistent configuration changes or abuse if the script is altered.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The recommended workflow includes executing a setup script, sourcing `.env`, and registering a cron job, all of which can introduce persistent or code-executing changes. Without warnings or review steps, users may unknowingly install recurring automation or execute attacker-controlled content in their shell environment.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README instructs users to configure a Telegram integration for agent notifications and includes concrete chat/channel identifiers, but provides no warning that task summaries and project metadata may be transmitted to an external messaging service. In this skill context, the automation sends completion details about development work, which can easily include sensitive codebase information, making accidental data disclosure a realistic risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documented workflow describes an automated review loop that can update task state and advance to a committed outcome after Cron-based checks, without a prominent warning that the system may autonomously modify project state or progress work without immediate user confirmation. In an agent skill designed to operate Codex CLI in a project repository, this increases the chance of unintended changes, misleading status transitions, or unauthorized commit progression in production-like environments.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The README explicitly shows that project path information and task completion details are sent to Telegram, but it does not warn users that operational metadata leaves the local environment and is transmitted to a third-party service. In a coding-agent context, task descriptions and repository paths can reveal sensitive internal project names, file structures, or work content, so omitting this disclosure creates a real privacy and data-leakage risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The document explicitly states that notify hooks receive the last assistant message and user input messages, and recommends forwarding them to external channels like Telegram or webhooks. In a skill designed for asynchronous wake-up and monitoring, this creates a real privacy and data-exfiltration risk because potentially sensitive prompts, outputs, and thread identifiers may leave the local trust boundary without any warning, minimization guidance, or consent controls.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The document advertises a flag that completely bypasses approvals and sandboxing, but does not pair it with strong operational warnings, usage constraints, or safe-default guidance. In the context of an agent skill that orchestrates Codex CLI and manages configuration/execution, this can normalize unsafe invocation patterns and lead users or downstream automation to run with unrestricted host access.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The reference describes applying the most recent diff to the local system without warning about modifying the working tree, overwriting expected state, or requiring review before application. In a skill centered on automated task execution through Codex CLI, omission of these cautions increases the chance of unintended or unsafe local changes being applied blindly.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The workflow instructs collecting local configuration data and fetching remote content without warning about privacy or network implications. In an agent skill context, this increases the chance that sensitive local settings are accessed and external requests are made automatically without informed user consent or redaction safeguards.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal