ClawHub

Codex History Visibility Repair

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to repair local Codex Desktop history, but it also changes Codex profile state and launches extra processes in ways that are not fully disclosed.

Install only if you are comfortable letting this skill modify your local Codex Desktop history database, JSONL session metadata, and global state files. Run the dry run first, review the backup path, avoid --verify-app-server unless you accept launching Codex app-server with analytics enabled, and be aware that the default repair may temporarily make the global state file read-only and start a delayed PowerShell unlock process.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not codex:
        return {"ok": False, "error": "codex executable not found"}

    proc = subprocess.Popen(
        [codex, "app-server", "--analytics-default-enabled"],
        cwd=str(workdir),
        stdin=subprocess.PIPE,
Confidence
94% confidence
Finding
proc = subprocess.Popen( [codex, "app-server", "--analytics-default-enabled"], cwd=str(workdir), stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subpr

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The verification feature starts Codex app-server and sends live protocol requests, which is outside the minimum capability needed to repair local history visibility. In this skill context, that makes the behavior more dangerous because the tool claims to keep changes local and avoid secrets, yet it can invoke a service with analytics enabled and interact with a broader application surface.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill spawns PowerShell and Codex subprocesses that are not strictly necessary for repairing local state files and SQLite metadata. In a security-sensitive automation context, extra process execution increases attack surface, complicates auditing, and can introduce unintended side effects or abuse opportunities if environment-controlled executables are resolved unexpectedly.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The module docstring asserts that the repair stays local and avoids secrets, but the code includes an optional path that launches Codex app-server with `--analytics-default-enabled`. That mismatch is dangerous because it can mislead operators into granting trust to a tool whose actual behavior is broader than advertised, increasing the chance of unintended telemetry or external interaction.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal