Codex Autopilot

Security checks across malware telemetry and agentic risk

Overview

This is a powerful always-on coding autopilot whose core behavior is disclosed, but it can auto-approve permissions, run project commands, control agents, notify external services, and merge code with limited confirmation.

Install only in trusted, isolated repositories after reviewing the scripts and config. Disable or remove automatic permission approval, branch auto-merge, yolo/full-auto modes, repository-defined shell checks, Claude fallback, and external notifications unless you explicitly need them. Use private Telegram/Discord channels, least-privilege tokens, and keep this away from secrets or production branches until you have verified the behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (53)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: short_cmd = cmd if len(cmd) <= 50 else cmd[:47] + "..." try: result = subprocess.run( cmd, shell=True, capture_output=True,
Confidence: 98% confidence
Finding: result = subprocess.run( cmd, shell=True, capture_output=True, timeout=COMMAND_TIMEOUT, cwd=project_dir )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: single_line = reply.replace('\n', ' ').replace('\r', ' ').strip() # 使用 -l (literal) 避免特殊字符被解释 result = subprocess.run( [tmux, 'send-keys', '-t', f'{TMUX_SESSION}:{window_name}', '-l', single_line], capture_output=True, text=True, timeout=10
Confidence: 88% confidence
Finding: result = subprocess.run( [tmux, 'send-keys', '-t', f'{TMUX_SESSION}:{window_name}', '-l', single_line], capture_output=True, text=True, timeout=10

subprocess module call

Medium

Category: Dangerous Code Execution
Content: time.sleep(0.1) # 发送 Enter result = subprocess.run( [tmux, 'send-keys', '-t', f'{TMUX_SESSION}:{window_name}', 'Enter'], capture_output=True, text=True, timeout=5
Confidence: 87% confidence
Finding: result = subprocess.run( [tmux, 'send-keys', '-t', f'{TMUX_SESSION}:{window_name}', 'Enter'], capture_output=True, text=True, timeout=5 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: cmd = [codex, 'exec', 'resume', session_id, reply, '--full-auto'] process = subprocess.Popen( cmd, stdout=subprocess.DEVNULL, stderr=subprocess.PIPE,
Confidence: 92% confidence
Finding: process = subprocess.Popen( cmd, stdout=subprocess.DEVNULL, stderr=subprocess.PIPE, text=True, cwd=project_dir or os.path.expanduser

subprocess module call

Medium

Category: Dangerous Code Execution
Content: '-n', name, '-c', project_dir], capture_output=True, timeout=5 ) subprocess.run( [tmux, 'send-keys', '-t', f'{TMUX_SESSION}:{name}', codex_cmd, 'Enter'], capture_output=True, timeout=5
Confidence: 95% confidence
Finding: subprocess.run( [tmux, 'send-keys', '-t', f'{TMUX_SESSION}:{name}', codex_cmd, 'Enter'], capture_output=True, timeout=5 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: '-n', name, '-c', project_dir], capture_output=True, timeout=5 ) subprocess.run( [tmux, 'send-keys', '-t', f'{TMUX_SESSION}:{name}', codex_cmd, 'Enter'], capture_output=True, timeout=5
Confidence: 95% confidence
Finding: subprocess.run( [tmux, 'send-keys', '-t', f'{TMUX_SESSION}:{name}', codex_cmd, 'Enter'], capture_output=True, timeout=5 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: ax_helper = _get_ax_helper() if ax_helper and window.title: try: result = subprocess.run( [ax_helper, 'activate', window.title], capture_output=True, text=True, timeout=5 )
Confidence: 94% confidence
Finding: result = subprocess.run( [ax_helper, 'activate', window.title], capture_output=True, text=True, timeout=5 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: ''' try: result = subprocess.run( ['osascript', '-e', script], capture_output=True, text=True, timeout=5 )
Confidence: 98% confidence
Finding: result = subprocess.run( ['osascript', '-e', script], capture_output=True, text=True, timeout=5 )

subprocess module call

Medium

Category: Dangerous Code Execution
Content: run_args: Any = command else: run_args = command_list if command_list else shlex.split(command) proc = subprocess.run( run_args, cwd=str(cwd), shell=use_shell,
Confidence: 97% confidence
Finding: proc = subprocess.run( run_args, cwd=str(cwd), shell=use_shell, capture_output=True, text=True,

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill describes shell execution, file read/write, network notifications, environment/config handling, and persistent orchestration, yet it declares no permissions. This creates a transparency and consent failure: users may activate a highly privileged automation skill without understanding that it can send commands, modify projects, and exfiltrate status data to external services.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The documented purpose understates the operational scope of the skill relative to the behaviors listed in the file and finding, including notifications, fallback execution paths, PRD synchronization, branch workflows, desktop-input support, and token/log accounting. When a skill's declared scope does not fully match its effective capabilities, users and reviewers cannot accurately assess risk, which is especially dangerous for an autonomous coding orchestrator with broad system access.

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: `mark_task_failed` is documented as marking a task as failed, but it actually resets the task state to `RUNNING`. In an automation/orchestration system, this can cause failed tasks to be retried indefinitely or treated as active work, bypassing failure handling, human intervention, or dependency logic and potentially creating unsafe autonomous loops.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The bot exposes high-impact operational commands over Telegram, including pause, resume, skip, approve, and retry, which directly alter project execution state. If the bot token is leaked, misconfigured, or chat authorization is too broad, an external party could manipulate automation pipelines, bypass human checkpoints, or disrupt task execution remotely.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The header documents permission handling as a simple Enter confirmation, but the implemented logic for both permission states sends "p" and Enter, explicitly selecting permanent allow. In an automation system that controls coding agents and shells via tmux, auto-granting persistent permissions can silently widen trust boundaries and remove human review for future privileged actions.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: This library reads Telegram bot credentials from a user config file and can send arbitrary message text to Telegram without the capability being disclosed in the manifest. In an automation skill, undocumented outbound messaging increases the risk of silent data exfiltration of prompts, project metadata, or code snippets to an external service.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The script continuously scans tmux panes for a permission prompt and then sends keystrokes to approve it automatically. This defeats the security purpose of an interactive consent boundary, especially because it sends "p" before Enter, which appears to choose a more permissive or permanent approval path rather than a one-time confirmation.

Intent-Code Divergence

High

Confidence: 97% confidence
Finding: The comments describe detection of a legitimate Codex permission dialog, but the implemented behavior escalates beyond detection by auto-selecting "p" and Enter. If "(p)" corresponds to permanent allow, the script is effectively granting persistent authorization without user review, widening exposure to future dangerous actions in that session.

Context-Inappropriate Capability

Medium

Confidence: 99% confidence
Finding: This verifier explicitly supports a `command` check type sourced from `prd-items.yaml`, then executes it in the project directory. Because the skill is designed for coding automation and CI/CD orchestration across repositories, a malicious repo can turn verification into arbitrary code execution, enabling secret theft, code tampering, or lateral movement in developer/CI environments.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The comment asserts that repository-maintained `prd-items.yaml` is trusted input, but the surrounding code executes commands from that file, including via the shell. This misleading trust assumption is dangerous because it normalizes unsafe behavior and increases the chance the feature will be used on untrusted repositories in an automation pipeline.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The watchdog contains an undeclared fallback path that dispatches work to a separate Claude AgentTeam workflow when Codex weekly limits are low or exhausted. This expands the trust boundary and can transmit task content and project context to another automation path without clear user consent, making behavior materially different from a normal local watchdog.

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: The script performs automatic branch merges once internal checks pass, which is a high-impact code modification operation beyond passive session monitoring. In an autonomous coding environment, auto-merge can push incorrect or malicious changes into the base branch without human review, amplifying any prior model mistake or prompt injection outcome.

Description-Behavior Mismatch

Low

Confidence: 90% confidence
Finding: The script sends Telegram and Discord notifications containing operational and task details to external services, but this data egress is not clearly disclosed in the skill description. In a coding watchdog, those messages may include task text, commit metadata, and issue summaries that reveal sensitive project information.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger list includes broad natural-language phrases such as development and CI/CD-related terms that could plausibly appear in ordinary user conversation. In a system that auto-invokes skills from trigger matching, this can cause unintended activation of a highly autonomous workflow that dispatches tasks, routes work to persistent tmux sessions, and may execute code without an explicit confirmation boundary.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README promotes 24/7 automation, automatic task dispatch, auto-recovery, test-triggered bugfix enqueueing, and persistent model sessions, but does not foreground a clear warning about operational consequences such as autonomous code changes, commits, notifications, or continuous background execution. In this context, omission of explicit user-facing risk disclosure increases the chance that operators enable the system without understanding that it can act continuously and modify projects with minimal human intervention.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The README promotes sending project status, alerts, and task information through Telegram/Discord but does not warn users about the sensitivity of source code, secrets, logs, or internal metadata that may be included. In an automation system that continuously monitors projects and posts reports, this omission can lead to unintentional data leakage to third-party messaging platforms or misconfigured channels.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal