codex-sdk

The script itself is an orchestration harness without overtly malicious code, but it purposefully executes code fetched at runtime via 'npx codex mcp-server' and grants agent-driven write permissions to the repository workspace. This creates a significant supply-chain and file-modification risk: a compromised or malicious MCP server (or its dependencies) could execute arbitrary commands, modify or exfiltrate repository data, or install persistent backdoors. Before using this code in a production or sensitive environment, audit and pin the external package, inspect or vendor the MCPServerStdio and codex MCP server implementation, limit write scope, reduce session duration, and run in an isolated environment.