ClawHub

codex-runner

Security checks across malware telemetry and agentic risk

Overview

This skill intentionally runs autonomous Codex coding jobs in the background with sandboxing and approvals disabled, which gives broad unsupervised control over local files.

Install only if you deliberately want an unsandboxed background coding agent. Use it only in a dedicated, backed-up git repository with no secrets or sensitive files, monitor ~/.codex-logs, and verify the process stops afterward. Avoid arbitrary target directories and do not pass untrusted task text or paths to the shell scripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill explicitly instructs use of `--dangerously-bypass-approvals-and-sandbox`, which disables core safety controls for a general-purpose coding task without any narrow justification or compensating safeguards. In this context, the agent can make arbitrary filesystem and command changes outside normal approval boundaries, substantially increasing the chance of destructive modification, data exposure, or execution of unsafe actions.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill combines background execution via `nohup` with hard-coded proxy configuration, enabling long-running networked activity with reduced visibility and limited user control. For an unspecified coding task, this creates risk of covert data transfer, unmonitored external access, and persistence beyond the user’s active session.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The script explicitly documents that it is intended to bypass approvals and sandboxing, yet presents itself as a normal Codex Runner start command. That mismatch is dangerous because it normalizes an unsafe execution mode and may cause users to run untrusted tasks with full host access without understanding the risk.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script unconditionally invokes Codex with --dangerously-bypass-approvals-and-sandbox, disabling core safety controls for every task it launches. In the context of an agent skill that may process adversarial prompts or operate in arbitrary directories, this can enable unrestricted filesystem access, command execution, and unintended destructive or exfiltrative actions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The example prompt encourages the assistant to create directories and files locally through Codex, but it does not clearly warn that these actions can immediately modify the user’s filesystem. Because the skill is designed for autonomous coding in a target directory, users may trigger impactful write operations without understanding the scope of changes.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
User-supplied task text and target directory are embedded directly into a subagent request without any explicit notice that the content will be forwarded to another runtime. This can cause unintentional disclosure of sensitive instructions or data across execution boundaries, especially in an agent skill context where users may not realize their input is being delegated.

Missing User Warnings

High
Confidence
98% confidence
Finding
Launching Codex with both approvals and sandbox protections bypassed, without an explicit safety warning, deprives the user of informed consent about a materially riskier execution mode. This increases the likelihood that operators will unknowingly expose their machine, credentials, and data to unsafe agent actions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal