Codex Hook

Security checks across malware telemetry and agentic risk

Overview

This skill is a task automation tool, but it can run coding agents, restart work, push and merge pull requests, delete branches, and send task details externally without enough safeguards.

Install only if you intentionally want unattended coding-agent automation with repository write and GitHub merge authority. Use it first in a disposable or tightly protected repository, keep branch protections and required reviews enabled, avoid sensitive task prompts, do not enable external webhooks unless you trust the destination, and avoid running the background monitors unless you want automatic retry/recovery behavior.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (34)

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: A 'simplified' task execution skill that also performs automatic PR creation and merging can directly modify remote repositories in ways not obvious from the manifest. The context makes this more dangerous because the tool is positioned as orchestration support, yet it includes automated source-control actions that can land unreviewed or unsafe changes.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill supports Telegram, Discord, and generic webhook notifications, which can transmit task identifiers, progress, errors, PR links, and other operational metadata to external services without that capability being justified by the core manifest. In an agent-execution context, outbound notifications can leak sensitive repo, workflow, or prompt-derived information to third parties.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The script transmits task completion details to Telegram, an external service, using environment-provided credentials without clear justification in the stated purpose or explicit user disclosure. In an agent skill context, hidden outbound messaging increases data exfiltration risk because task names, status, and PR numbers may contain sensitive operational information.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script is presented as a progress reporter, but it also mutates task state and autonomously attempts recovery of suspended jobs. That expands its authority from passive monitoring into active orchestration, which is dangerous because a monitoring component can unexpectedly restart work, mark tasks failed, and change operational state without user approval.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The script creates tmux sessions, launches `codex --full-auto exec`, and injects previously saved prompts into the new session. This gives a nominally reporting-oriented component the ability to initiate autonomous agent execution from stored task data, which can replay sensitive or dangerous actions without validating the prompt, workspace, or user intent.

Intent-Code Divergence

Medium

Confidence: 87% confidence
Finding: The header comments describe a periodic checker and Telegram reporter, but the implementation also performs recovery and failure-state changes. This mismatch is security-relevant because users and reviewers may grant or deploy the script under the assumption that it is passive, while it actually has active control capabilities.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: This script exposes an `auto-merge` operation that delegates directly to another script with only a task ID and repo path, with no visible authorization, policy checks, branch protections, approval verification, or confirmation step in this entrypoint. In an agent-execution context, automatic merge materially increases the blast radius of prompt injection, task poisoning, or erroneous task completion by allowing unreviewed code to be merged into a repository.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill metadata describes a simplified task dispatch/execution/monitoring tool, but the script also includes a `create_pr` workflow that pushes branches to `origin` and opens GitHub pull requests. In an agent-execution context, adding remote repository side effects expands the trust boundary and can cause unintended code publication or exfiltration of generated changes beyond the local task runner's stated purpose.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The dispatcher performs `git push -u origin "$branch"` and `gh pr create`, which are remote-network actions not required for basic local task scheduling. In an automated agent system, these capabilities can publish code, prompts-derived output, or sensitive modifications to external services without strong consent controls.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script defines an isolation step that copies the target project into a clean worktree, but the execution flow never invokes that preparation before running the agent. As a result, the agent may run in an uninitialized or previously reused directory, breaking project isolation and potentially causing unintended reads or writes across task state.

Intent-Code Divergence

Low

Confidence: 89% confidence
Finding: The script states it runs from a prepared worktree for correct session binding, but it can cd into a directory that this script never created or validated. That makes the execution context untrusted and can bind the agent session to stale, attacker-controlled, or unrelated project contents.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script is presented as a monitor, but it can actively modify state by retrying and re-dispatching tasks in the background. That behavior turns a passive observer into an execution trigger, which can re-run prompts and workflows from files under /tmp without explicit approval, increasing the risk of unintended code execution or repeated harmful actions if task metadata or prompt files are tampered with.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The monitor reads global Git state from $HOME/projects and can query GitHub CI/PR status, which broadens its access beyond the specific task being monitored. In a multi-repo or shared environment, this can expose unrelated workspace metadata in notifications or logs and creates unnecessary coupling to external repository state.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: Describing automatic PR merge flow without a strong warning about destructive or irreversible repository changes can mislead users into enabling automation that pushes, merges, and potentially deletes branches. In this skill's context, those actions affect shared remote repositories and can rapidly propagate bad or malicious changes.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The notification setup documents sending task data to Telegram, Discord, and webhooks but lacks a clear privacy/security warning about what information may leave the local environment. This is risky because task names, progress, errors, PR links, and possibly sensitive operational context can be exposed to third-party services or misconfigured endpoints.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill exposes a broad set of high-impact commands such as execute, start, stop, intervene, and auto-merge without any visible trigger constraints, authorization context, or exclusion rules in the metadata. In an automation/task-execution skill, ambiguous invocation scope increases the chance of unintended activation, command abuse, or unsafe chaining by an agent or orchestrator that relies on metadata to decide what actions are available.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script performs `gh pr merge --squash --delete-branch` without any explicit confirmation, dry-run, or safety interlock. In an automation/agent setting this can irreversibly merge unreviewed or incorrectly reviewed code into the main branch and delete the source branch, causing integrity loss and complicating recovery.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The help and documentation do not clearly disclose that task details are sent to Telegram, yet the script can transmit completion metadata off-host. This lack of disclosure is dangerous because users may run the skill in sensitive repositories without realizing data is being shared with an external messaging platform.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script automatically sends running task names, statuses, and session details to Telegram with no explicit consent flow or data-minimization controls visible here. This can leak operational metadata, internal identifiers, and potentially sensitive task context to an external messaging service, especially if task names contain confidential information.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script silently recreates tmux sessions and replays saved prompts from `/tmp` without any warning or confirmation. Because this can restart autonomous execution from persisted prompt content, an attacker or local process that can influence the prompt file or task registry may be able to trigger unintended agent actions or re-execution of sensitive workflows.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script sends task identifiers, names, errors, progress, and optional outputs to Telegram, Discord, or arbitrary webhook endpoints without any consent gate, allowlist, or data minimization. In an agent skill context, these messages can contain sensitive operational or user data, creating a real data-exfiltration path to third-party services.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: When a worktree path already exists, the script force-removes the worktree and deletes the corresponding branch with `--force`/`-D` and no confirmation. If task IDs collide or paths are misconfigured, this can destroy unmerged user work and cause local data loss.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The script persists task prompts in plain text under `/tmp/codex-results/tasks/.../prompt.txt` without warning or protection. Prompts can contain credentials, proprietary code, or operational instructions, and storing them in a predictable temporary location increases exposure to other local users or later accidental disclosure.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script launches `codex --sandbox workspace-write --full-auto exec`, granting an autonomous agent write access to the repository workspace. In this skill's context, that is materially dangerous because the tool is designed to dispatch tasks automatically, so unsafe prompts or compromised task definitions can directly modify code or repository state without human review.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: Stopping a task invokes `cleanup_worktree`, which force-removes the worktree and deletes the branch without any confirmation or visible warning in the help output. Users may reasonably expect 'stop' to terminate execution only, but here it can also erase in-progress changes and local history associated with the task.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal