Codex Swarm
Security checks across malware telemetry and agentic risk
Overview
This is a coherent Codex swarm helper, but it can run autonomous coding agents in the background and push or merge code to your remote repository without a final human approval by default.
Install only if you want autonomous Codex agents to modify and publish code. Prefer running on a fork or protected branch, set SWARM_AUTO_MERGE=false, manually review endorsements and PRs, restrict task IDs to safe characters, and disable external notifications unless you trust the endpoint.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A failed or incorrect automated review/merge could be pushed to the main branch of the user's remote repository.
The integration watcher defaults SWARM_AUTO_MERGE to true and pushes main after automated merge/review steps, creating a high-impact repository mutation without a required final human confirmation.
if [ "${SWARM_AUTO_MERGE:-true}" = "true" ]; then
git push origin main ...Default SWARM_AUTO_MERGE to false, require an explicit final approval before pushing main, and run this only on protected branches or disposable forks until reviewed.
Users may believe each agent task requires a separate manual endorsement, but the batch path approves tasks automatically.
The batch script automatically endorses every task before spawning agents, which weakens the stated endorsement gate as a user-safety control.
for i in $(seq 0 $((TASK_COUNT - 1))); do
TASK_ID=$(jq -r ".[${i}].id" "$TASKS_JSON")
bash "$SCRIPTS_DIR/endorse-task.sh" "$TASK_ID"
doneRequire a manual confirmation or pre-existing endorsement file for each task, and clearly document that batch mode auto-endorses if this behavior is retained.
The skill can act through the user's existing repository and GitHub permissions, including publishing changes remotely.
Spawned Codex agents are instructed to use the user's local git/GitHub credentials to push branches and create PRs, while the registry metadata declares no primary credential or required environment variables.
2. Push: git push origin ${BRANCH}
3. Create PR: gh pr create --fillUse a limited-scope repository account or fork, ensure branch protections are enabled, and declare the GitHub/git/Codex credential expectations clearly.
If task JSON or project/task identifiers come from an untrusted source, they may be able to trigger unintended local shell commands.
The script generates and executes a shell runner by interpolating values derived from command arguments/tasks; crafted values containing quotes or shell metacharacters could alter the generated script.
cat > "$RUNNER" << RUNEOF ... cd "$WORKTREE_DIR" ... codex exec --full-auto -c "model=\$CUR_MODEL" -c "model_reasoning_effort=$REASONING" - < "$PROMPT_FILE"
Validate task IDs, model names, reasoning values, and paths against safe character allowlists, or generate runner scripts using robust shell escaping such as printf %q.
Agents and watchers may continue modifying worktrees, committing, reviewing, or pushing after the initial command returns.
The skill intentionally launches detached tmux sessions and background watcher processes so agents keep running independently.
tmux new-session -d -s "$TMUX_SESSION" ... "bash $RUNNER" ... bash "$SCRIPTS_DIR/notify-on-complete.sh" ... &
Monitor tmux sessions, use the cleanup script carefully, and run this only in repositories where autonomous background coding is acceptable.
Task names, batch IDs, and status messages may be sent to third-party chat or webhook services if notifications are enabled.
Notifications can be sent to a configured webhook or Telegram bot; this is disclosed and purpose-aligned, but it is an external communication channel.
curl -s -X POST "$SWARM_WEBHOOK_URL" ...
curl -s "https://api.telegram.org/bot${SWARM_TELEGRAM_BOT_TOKEN}/sendMessage" ...Enable notifications only with trusted endpoints and avoid putting secrets or sensitive project details in task IDs or notification text.
Users may not realize the skill depends on several local command-line tools and existing CLI authentication until they inspect the instructions.
The registry metadata does not declare required tooling, while SKILL.md later requires bash, tmux, git, gh, jq, and codex.
No install spec — this is an instruction-only skill. Required binaries ... none.
Declare required binaries and credential expectations in metadata, and review the shell scripts before copying them into a workspace.