Security risk report for @forgecat/openai_codex-plugin-cc_codex v0.1.3
Source Integrity
Low
Profile is attributed to OpenAI and references a public GitHub repository (https://github.com/openai/codex-plugin-cc).
Static scanner confirms low risk; source is a known, legitimate upstream.
Agent Intent
Low
The profile documents legitimate code-review and task-delegation workflows; it does not instruct the AI to ignore instructions, exfiltrate data, or leak system prompts.
Guidance in skills (e.g., gpt-5-4-prompting) teaches prompt composition best practices and verification loops—standard security-conscious patterns, not poisoning.
Commands are read-only (review, adversarial-review) or forward-only (rescue, transfer, status, result, cancel) with no hidden instructions to manipulate the AI's behavior or hide its own instructions.
Details
Evidence
README and command files describe legitimate use cases: code review, task delegation, session transfer.
Skills explicitly instruct the subagent to be a 'thin forwarder' and return output 'verbatim' without modification (codex-rescue.md, codex-result-handling/SKILL.md).
No instructions to read credentials, disable security checks, or install attacker-controlled dependencies.
Permissions
PRM-003Medium
Several commands declare `Bash(node:*)` and `Bash(git:*)` tool access, which is reasonably scoped to running the local companion script and inspecting git state for review sizing.
The static scanner flagged three hook files (`session-start.sh`, `session-end.sh`, `stop-review-gate.sh`) that have no matching tool declarations in the profile — these shell hooks could execute arbitrary Bash at session lifecycle events without explicit user invocation.
The `codex-rescue` agent declares `tools: Bash` (unrestricted Bash) combined with `model: sonnet`, which is broader than strictly necessary for a thin forwarding wrapper, though the instructions tightly constrain its use to a single `node` invocation.
Details
Findings
./hooks/session-start.sh
./hooks/session-end.sh
./hooks/stop-review-gate.sh
Evidence
agents/codex-rescue.md frontmatter: 'tools: Bash'
MCP Risk
Low
No MCP servers are defined in the profile.
The profile delegates to external Codex CLI and OpenAI APIs, which are documented dependencies, not hidden MCP definitions.
No arbitrary binary execution or unrestricted network access is declared within the profile itself.
Details
Evidence
Profile metadata states '(none)' for MCP servers.
Dependencies are explicit: Node.js 18.18+, Codex CLI, OpenAI API key (standard, documented).