Back to skill

Security audit

Codex Review

Security checks across malware telemetry and agentic risk

Overview

This skill is a local Codex usage-review tool whose sensitive scanning is disclosed and aligned with its purpose, with privacy cautions around generated reports.

Install only if you are comfortable letting the skill read recent Codex history and workspace artifact metadata on your machine. Keep generated JSON and HTML reports private, use --no-open for unattended or shared-screen runs, and review any recurring automation before enabling it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script reads entire automation.toml files into memory and searches them with a regex even though the stated purpose is only to determine whether a weekly review automation exists. Automation configs can contain task prompts, paths, schedules, and other operational details unrelated to the report, so this creates unnecessary collection of potentially sensitive local data and broadens the privacy footprint of the skill. In the context of a 'usage review' skill that already aggregates session history, this over-collection is more concerning because it centralizes multiple categories of user activity metadata into one output.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill instructs automatically opening a generated local HTML report in the browser by default. Even though the report is local, auto-opening can unexpectedly expose sensitive usage history or prompts on screen, trigger embedded active content if the generated HTML is unsafe, and violates the principle of explicit user consent for potentially privacy-impacting display actions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill enables implicit invocation without any trigger constraints, allowing it to activate based on broad matching rather than explicit user intent. Because this skill scans recent Codex sessions, local project artifacts, skills, automation tasks, and token records, unintended activation could expose sensitive local metadata or analysis outputs when a user did not clearly request this level of review.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script traverses Codex session history under ~/.codex, extracts user and assistant message content, aggregates token usage, infers project names, and writes a consolidated JSON report without any built-in consent gate, notice, or scope restriction beyond time range. Session histories can contain prompts, task details, file paths, and sensitive business context, so silently harvesting and repackaging them increases privacy and data exposure risk. The skill context makes this more dangerous because the advertised purpose is retrospective behavior analysis, meaning users may trigger it expecting convenience while not realizing how much conversation content is being processed and persisted.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/build_report.mjs:287