Back to skill

Security audit

Codex Agent

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Codex automation skill, but it forwards potentially sensitive Codex output to messaging channels and delegates broad command/approval authority to agents.

Install only if you intentionally want OpenClaw to operate Codex as a semi-autonomous coding agent. Use private notification channels, avoid full-auto for sensitive projects, disable or redact raw Telegram forwarding where possible, keep OpenClaw session persistence bounded, and stop tmux/monitor processes after each task.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (18)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The notification design includes sending completion and approval data to Telegram and waking another agent, which exceeds the core expectation of local tmux/Codex orchestration. Even if intended for convenience, it can disclose sensitive repository paths, prompts, summaries, or operational state to external systems. In a skill that may handle arbitrary project work, that context makes the data-sharing notably riskier.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The one-click auto-configuration block instructs another agent to make persistent system changes including installing files, editing user config, changing session-reset behavior to effectively never expire, modifying permissions, and running verification commands. In a security-sensitive agent ecosystem, packaging these changes as a copy-paste automation flow without an explicit warning/confirmation step increases the risk of unintended local configuration changes and over-broad trust in the skill.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly states that Codex's complete replies and approval details are forwarded to Telegram, but it does not present this as a sensitive-data transfer requiring explicit user consent, scoping, or redaction. In this skill's context, Codex may process source code, secrets, file paths, proprietary logic, and shell commands, so automatic mirroring to a messaging channel creates a real confidentiality risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly states that the skill scans the local environment and sends task progress, approval requests, and output content to Telegram, but it does not present a clear, prominent privacy warning about what data may be collected or transmitted. In this skill's context, that is security-relevant because environment details, code snippets, secrets in terminal output, file paths, and operational metadata could be exposed to an external messaging service or chat participants without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow promotes `--full-auto` autonomous execution without a prominent warning that Codex may make changes, run commands, and continue operating without per-step human review. In a project-management skill that can modify configs and orchestrate background sessions, this significantly raises the chance of unintended or unsafe actions. The danger is amplified because the document encourages the operator to handle approvals internally and shield the user from intermediate steps.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs sending arbitrary prompts, interactive input, screenshots, and possibly searched content into Codex/TUI sessions, but it does not warn users that sensitive data may be processed externally depending on the backend and enabled features. This is a meaningful privacy/transparency gap, especially when the same workflow also supports background execution and automated iteration. Users may disclose secrets or proprietary content without informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The notification section explicitly describes sending execution data to Telegram and waking an external agent, but lacks a strong user-facing warning that workspace information and summaries may be disclosed off-box. Because the payload includes cwd and assistant-message content, exploitation could expose sensitive project names, paths, prompts, or outputs. In a development environment, that can cause confidentiality leaks even without malicious intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script captures tmux pane output, extracts command context, and sends approval-related details to an external messaging channel via `openclaw message send` and `openclaw agent --deliver`. Even though it does not transmit the full pane buffer, it still exfiltrates potentially sensitive operational context such as session names, commands awaiting approval, and workflow state, without any explicit consent prompt, redaction, or allowlist. In this skill context, the monitor is specifically designed to watch an interactive Codex TUI handling project tasks, which makes accidental leakage of secrets, internal paths, or sensitive commands more plausible and therefore more dangerous.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The document explicitly states that skills can be invoked implicitly based on description matching, which can cause this high-privilege skill to trigger without clear user intent. In the context of a Codex agent that can operate tmux, manage configuration, and leverage MCP/browser/search tooling, broad implicit activation increases the chance of unintended execution paths and tool use.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file tells users that Codex may automatically call configured MCP tools, including web search and browser-control integrations, but provides no explicit warning that prompts or workspace-derived data may be sent to external services. Because this skill has live web access, Exa search, and Chrome MCP installed, silent or poorly signposted external transmission materially raises data leakage and privacy risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The notify section explicitly states that Codex passes a JSON payload via command-line arguments containing the last assistant message and user input messages, and suggests forwarding that data to Telegram, webhooks, or other external channels. This creates a real confidentiality risk because prompts, secrets, internal code context, and sensitive conversation content may be exposed to local process listings, shell history/logging, or third-party notification systems without any warning, minimization, or consent guidance.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger condition '涛哥手动要求' is ambiguous and identity-free, so the workflow can be activated by an imprecise or spoofed request rather than a clearly authorized user action. In an agent skill that performs local data collection and network fetches, vague activation criteria increase the chance of unintended execution and unauthorized access to local configuration data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow reads sensitive local state such as '~/.codex/config.toml' and performs multiple outbound requests, but it does not require informing the user or obtaining consent first. This creates a real privacy and security issue because the operator may unknowingly expose local configuration details or initiate network activity in contexts where such access is not expected or permitted.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This workflow instructs the agent to create tmux sessions, launch an interactive Codex CLI, send prompts, inspect panes, and read files, but it does so without requiring explicit user confirmation or presenting safety warnings for system-impacting actions. In an agent-skill context, this increases the risk of unintended command execution, workspace inspection, or propagation of unsafe prompts into an autonomous toolchain, especially because the skill is designed to orchestrate further agent behavior via tmux and hooks.

Ssd 3

Medium
Confidence
89% confidence
Finding
The documented workflow says task completion, approval waits, and output content are synchronized to Telegram in real time. Because these are natural-language summaries or full outputs derived from the workspace and commands, they can leak sensitive project data, credentials, internal architecture, or incident details outside the local execution boundary.

Ssd 3

High
Confidence
96% confidence
Finding
The notify hook is described as sending Codex's full reply content to Telegram, which is a direct exfiltration path for anything Codex sees or generates, including code snippets, internal documents, secrets echoed in output, and sensitive reasoning about the repository. In an agent skill designed to operate over arbitrary local projects, this materially increases the chance of exposing confidential data to a third-party messaging surface.

Ssd 3

Medium
Confidence
93% confidence
Finding
Sending the exact pending command to Telegram can expose operational details such as repository paths, infrastructure hostnames, environment variable names, command-line arguments, or embedded secrets. Since approval prompts often occur around privileged or sensitive actions, mirroring them to chat increases exposure at precisely the riskiest moments.

Ssd 3

Medium
Confidence
96% confidence
Finding
The example and workflow encourage relaying assistant summaries and user inputs to external notification or messaging channels as part of an automated loop. In this skill context, which is designed to orchestrate Codex runs and asynchronous wake-ups, that guidance is more dangerous because it operationalizes routine export of potentially sensitive project data, making accidental leakage to third-party services more likely.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.