Security audit

Codex Switcher

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for Codex account/profile switching, but it stores refreshable OAuth tokens and can modify active auth state with too little disclosed protection or user control.

Install only if you are comfortable letting this skill read, write, and refresh Codex OAuth credentials. Before use, restrict snapshot directories and files to owner-only permissions, confirm exactly which profile will become active before applying, keep backups for rollback, and revoke tokens if any snapshot directory may have been exposed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 90% confidence
Finding: The skill declares capabilities to read/write sensitive local auth files and perform networked OAuth/quota operations, but there is no explicit permissions declaration or guardrail in the skill metadata. In a credential-management skill, that mismatch increases the chance of overbroad execution and makes security review and user consent weaker, especially because it handles high-value tokens and modifies the active auth profile.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The document explicitly instructs storing access and refresh tokens in local snapshot files under the user's home directory. While local token storage can be necessary for this workflow, the absence of guidance on file permissions, encryption, or user warning creates a real credential-exposure risk if the filesystem is shared, backed up insecurely, or accessed by malware.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The flow directs the skill to modify the active authentication configuration in place, which changes live agent auth state. Without an explicit warning, confirmation step, or backup behavior, users may unknowingly overwrite their current session context or operate under the wrong account, which can lead to accidental actions under unintended credentials.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The add/apply flow exchanges an OAuth authorization code for long-lived access and refresh tokens, then persists those secrets in plaintext JSON under the local state directory without any explicit warning, consent prompt, permission hardening, or secure storage mechanism. In a multi-user host, weakly permissioned home directory, or compromised local environment, those tokens can be stolen and reused to access the user's Codex account and refresh sessions.

Session Persistence

Medium

Category: Rogue Agent
Content: 2. sign in in browser 3. run `cs add --apply '<callback-url>' [alias]` 4. if alias was omitted, derive it from the email automatically 5. create a new snapshot file for that account ### `cs refresh <alias>` Force-refresh one snapshot using its refresh token.
Confidence: 87% confidence
Finding: create a new snapshot file for that account ### `cs refresh <alias>` Force-refresh one snapshot using its refresh token. ### `cs refresh-all` Scan every snapshot and automatically refresh only those

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.