Is adamsardo/codex-sub-agents safe?
https://github.com/openclaw/skills/tree/main/skills/adamsardo/codex-sub-agents
This skill is a documentation-only reference for OpenAI Codex CLI containing no executable code, no git hooks, and no data exfiltration payloads. However, it poses a meaningful permission escalation risk by normalizing the use of --full-auto mode and danger-full-access sandbox policies in agent delegation patterns, effectively bypassing the host agent's user-approval controls when delegating coding tasks to Codex CLI. The multi-agent trust chain it establishes (User → Claude → Codex) weakens security boundaries by granting the delegated tool broader permissions than the user explicitly authorized.
Category Scores
Findings (9)
HIGH Permission escalation via --full-auto delegation -25 ▶
The skill systematically normalizes running OpenAI Codex CLI with --full-auto flag across multiple integration patterns (direct exec, CLI backend fallback, example workflows). This flag auto-approves all workspace writes and approves on failure, effectively bypassing the host agent's approval controls. When injected into an agent's system prompt, the agent will default to using --full-auto for coding tasks, removing the user from the approval loop for potentially destructive file operations.
MEDIUM Documents danger-full-access and --yolo modes -13 ▶
The CLI reference documents a --yolo flag described as 'No approvals or sandbox (dangerous)' and a danger-full-access sandbox policy with 'No restrictions'. While the skill doesn't explicitly recommend these for all tasks, their presence in the agent's context makes them available options that the agent might choose under pressure or ambiguous instructions.
MEDIUM Global npm package installation instruction -15 ▶
The skill instructs running npm i -g @openai/codex which installs a global npm package. While this is a legitimate package, global installs expand the attack surface and could be a supply chain risk if the package registry is compromised or a typosquat is substituted.
MEDIUM MCP server mode exposes persistent tool surface -10 ▶
The skill documents running codex mcp-server which starts a persistent background process exposing Codex's tools via stdio MCP protocol. This creates an additional attack surface that persists beyond individual command executions.
LOW Credential path exposure in agent context -12 ▶
The skill places credential file paths directly in the agent's context: ~/.codex/auth.json (OAuth tokens), OPENAI_API_KEY environment variable, and auth sync paths. While these are documented for legitimate configuration, they inform the agent about where secrets are stored.
MEDIUM Multi-agent trust chain weakens security boundaries -30 ▶
The subagent delegation patterns create a trust chain where the user grants controlled access to Claude, which then delegates to Codex with broader permissions (exec, read, write, edit, apply_patch, process). The user's approval controls are bypassed at the Codex level, and Codex operates under a different model with potentially different safety characteristics.
LOW Network access enabled in sandbox configuration -5 ▶
The skill includes a config snippet enabling network access within the sandbox write policy, which could allow Codex to make outbound network requests during code execution.
INFO Clean clone with expected network activity only -5 ▶
All observed network connections during installation trace to expected infrastructure: GitHub for repo cloning, Ubuntu/Canonical for system packages, and local DNS resolution. No anomalous outbound connections detected.
INFO All honeypot files remain intact 0 ▶
No canary files (.env, SSH keys, AWS credentials, .npmrc, Docker config, GCloud credentials) were accessed or modified by the skill installation or content.