codex-manager-rust

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.85). These URLs include direct downloads of executables from a single, unverified GitHub account (qxcnm) plus instructions to run them and configure local API endpoints that may expose sensitive tokens and data, so downloading/executing them without verification is potentially dangerous.

CRITICAL E006: Malicious code pattern detected in skill scripts.

• Malicious code pattern detected (high risk: 0.90). The skill exposes deliberate abuse-enabling features — import/export of access/session tokens, account-pool rotation and anti-captcha guidance to evade rate limits, a plugin/runtime (Rhai) with system_call access to internal account APIs, and configurable upstream/proxy forwarding — which together enable credential collection, data exfiltration to arbitrary endpoints, and remote execution/control via installed plugins or malicious upstreams.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill explicitly supports adding arbitrary upstreams via the Aggregation API (e.g., POST /api/aggregation/upstreams with a base_url), remote model sync (/api/models/sync and models_cache.json), and a plugin/market system that can install custom plugins/markets, all of which ingest and/or execute untrusted third-party content and can influence runtime behavior.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The installation instructs fetching and executing remote binaries (e.g., wget https://github.com/qxcnm/Codex-Manager/releases/latest/download/codexmanager-service, https://github.com/qxcnm/Codex-Manager/releases/latest/download/codexmanager-web, https://github.com/qxcnm/Codex-Manager/releases/latest/download/codexmanager-start) and/or pulling the docker image qxcnm/codexmanager:latest, which are runtime external dependencies that deliver and execute remote code.

MEDIUM W013: Attempt to modify system services in skill instructions.

• Attempt to modify system services in skill instructions detected (medium risk: 0.40). The prompt includes explicit system-altering commands—notably a macOS Gatekeeper bypass (xattr -dr com.apple.quarantine) plus chmod/rm/installer instructions and service start steps—that instruct modifying system state and circumventing a security mechanism, so it poses a moderate risk even though it doesn't request sudo or create users.