Is codex-orchestration safe?

https://clawhub.ai/shanelindsay/codex-orchestration

62
CAUTION

This skill is a general-purpose orchestration framework for Codex that enables spawning parallel background agent processes via PTY terminals. While not overtly malicious, it significantly expands the attack surface by normalizing unsupervised background command execution, bypassing approval workflows ('YOLO config'), and creating dynamic worker prompt injection surfaces. The skill contains no executable code or exfiltration payloads itself, but its design patterns would amplify the impact of any co-installed malicious skill.

Category Scores

Prompt Injection 45/100 · 30%
Data Exfiltration 75/100 · 25%
Code Execution 35/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 40/100 · 5%

Findings (10)

HIGH Bypasses approval workflows by default -25

The skill declares 'YOLO config (no approvals)' as a default assumption, instructing the agent to operate without user confirmation. This directly undermines safety guardrails that require user approval before executing potentially destructive actions.

HIGH Arbitrary background command execution by design -45

The skill's core functionality is spawning arbitrary shell commands via 'codex exec' in background PTY terminals. Worker prompts are dynamically constructed, and the skill provides no sandboxing, allow-listing, or permission restrictions on what commands can be run.

HIGH Strong persona override and authority delegation -15

The skill assigns the agent a persistent 'orchestrator' persona with authority to delegate work to sub-agents. This creates a hierarchical authority structure where the skill's instructions take precedence over user instructions, and sub-agents operate under the skill's directives rather than the user's direct control.

MEDIUM Persistent process execution via tmux/nohup -10

The skill suggests using tmux or nohup as fallback mechanisms for persistent process execution, meaning processes could survive the agent session and continue running without user awareness.

MEDIUM Temp file staging and web search exfiltration surface -15

Worker output is written to /tmp/ files and web search is enabled by default. Together these create a two-stage exfiltration path: sensitive data gathered by workers written to temp files, then potentially exfiltrated via web search queries or URL fetches.

MEDIUM Worker prompt injection surface -15

Worker prompts are constructed by concatenating the preamble with task-specific content. Since workers are spawned as separate agent sessions, malicious content in the task description could inject instructions that override the worker preamble's constraints.

MEDIUM Workers can access arbitrary files without restriction -10

The implementer worker template grants file editing scope ('may edit <specific files/sections>') and no worker template restricts filesystem access. Workers could read any file accessible to the agent process, including credentials and private keys.

LOW Normalizes unsupervised parallel execution -10

By establishing parallel background execution as the default workflow pattern, this skill trains users and agents to accept unsupervised multi-process operation as normal, reducing vigilance against genuinely malicious background activity.

INFO Runtime reads sensitive config files during install -5

The openclaw runtime (not the skill itself) read .env, .aws/credentials, and other config files during installation. This is attributable to the runtime environment, not the skill, but worth noting.

INFO All canary files intact 0

No honeypot files were accessed or modified, indicating no automated credential harvesting during installation.