ClawHub

Codex Sub Agents 1

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill is coherent for delegating coding work to Codex CLI, but it encourages broad autonomous write-capable execution and credential reuse without enough user-control guidance.

Install only if you intentionally want Clawdbot or subagents to use Codex CLI to edit code and run commands. Prefer read-only or approval-required modes first, avoid `--full-auto`, `--yolo`, and `danger-full-access` for untrusted repositories, keep work scoped with `--cd` and limited writable paths, review diffs before committing, and treat copied Codex auth files as sensitive credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list is extremely broad and overlaps with common software-development requests like code review, refactoring, and feature implementation. In an agent ecosystem, this can cause unintended activation of a highly privileged coding tool, increasing the chance that sensitive repositories or commands are handled by a tool with filesystem and execution access without explicit user intent.

Vague Triggers

Low
Confidence
88% confidence
Finding
The 'When to Use' section is written as a broad catch-all for many normal coding tasks, with little guidance on when not to invoke the skill. Because this skill explicitly grants local filesystem access and may run commands, ambiguous activation criteria raise the risk of over-delegation to a powerful tool in situations where a safer read-only workflow would suffice.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly recommends `codex exec --full-auto` for trusted repositories but does not warn that this mode can autonomously modify files and potentially execute consequential coding actions with limited human review. In an agent-integration skill, that guidance lowers operator caution and can normalize handing broad write capability to an LLM-driven CLI, increasing the chance of unintended destructive changes or abuse if prompts, repos, or task inputs are adversarial.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill describes automatic synchronization of OAuth tokens from `~/.codex/auth.json` into another application path without warning that this copies sensitive credentials across storage locations. In a multi-agent integration context, duplicating tokens expands the credential exposure surface, increases accidental leakage risk through logs/backups/misconfigured permissions, and may enable unauthorized reuse if either path is compromised.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The reference documents a `--yolo` mode that disables both approvals and sandboxing, but the warning is minimal and easy to overlook in a terse command table. In a skill meant to help an agent delegate coding work, this can normalize unsafe execution and lead users or downstream agents to run arbitrary code or file-modifying actions without meaningful safeguards.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
`codex apply <task_id>` is described only as applying a cloud diff locally, without clearly warning that it changes local files. In an agent-driven coding workflow, users may treat this as a review action rather than a write operation, increasing the risk of unintended file modification or introduction of untrusted changes into the workspace.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The `/feedback` command says it sends logs to maintainers but does not warn that logs may contain local prompts, file paths, command history, or other sensitive session data. In a coding-agent context, this creates a meaningful privacy and data-exposure risk because sessions often include proprietary source code and credentials-related context.

VirusTotal

45/45 vendors flagged this skill as clean.

View on VirusTotal