use-codex

No direct indicators of malware (e.g., exfiltration, backdoor, credential theft, or exploit code) are present in this fragment. However, it introduces moderate-to-high operational security risk due to (1) spawning an external binary by name (`codex`) with inherited/broad environment variables, (2) unusual Windows `shell` configuration, and (3) connecting to a broker endpoint/path derived from environment/session configuration without visible allowlist/validation in this fragment. The security posture depends heavily on how `parseBrokerEndpoint`, protocol handlers (`handleLine/handleChunk`), and option/environment sourcing are validated elsewhere.

This script is an orchestration runner for `codex exec` plus git auto-commit. It does not directly show classic malware (no hardcoded secrets, no explicit exfiltration), but it contains a significant security issue: post-verify commands from the manifest are executed via `eval "$pv_cmd"`, enabling arbitrary shell command execution if an attacker can influence the manifest fields (supply-chain/CI sabotage risk). Overall: low direct malware evidence, but meaningful security alert due to eval-driven untrusted command execution.

SUSPICIOUS: the skill is purpose-aligned as a Codex orchestration wrapper and uses official OpenAI tooling, so it is not clearly malicious. However, its footprint is high-risk for an agent skill because it mandates sandbox-bypass execution, performs detached multi-worker automation, reads local auth/config state, and can route prompts and code through proxies; these risks are substantial even though they are largely consistent with the stated purpose.

No direct malware payload is evident, but the module has material supply-chain security weaknesses. The critical issue is command execution via eval "$pv_cmd" for per-task post_verify_cmd (a high-impact injection/RCE risk if task configuration is not strictly trusted). Additionally, auto-committing with git add -A without baseline-aware allowlisting can persist unintended or sensitive artifacts produced by the agent. Verification failures may be recorded without blocking 'done', so unsafe outcomes depend on operator review rather than hard gating.