codex-mcp-server

Security Findings (8)

• CriticalArbitrary Code Execution

  codex:tool name or description implies arbitrary script/code execution (evaluate_script, execute javascript, etc.)

  Rule: AS-006Fix: This tool can execute arbitrary code or shell commands on the host system. Remove it unless strictly required. If kept: (1) restrict access to trusted users/agents only, (2) require human approval before each invocation (Claude Desktop: set approval_required: true; other clients: enable equivalent confirmation), (3) use the most restrictive sandbox or read-only mode available, and (4) never expose this tool to untrusted input sources.
• HighExcessive Permission Surface ×3

  • codex:tool declares network permission
  • codex:tool declares exec permission
  • websearch:tool declares network permission

  Rule: AS-002Fix: Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.
• MediumExcessive Permission Surface ×2

  • codex:tool declares fs permission
  • review:tool declares fs permission

  Rule: AS-002Fix: Tool requests broad permissions (exec/fs/network). Validate input parameters using Enums where possible, and restrict file system operations to explicit allowed directories.
• LowDoS Resilience — Missing Rate Limit / Timeout ×2

  • codex:tool performs network or execution operations but declares no rate-limit, timeout, or retry configuration
  • websearch:tool performs network or execution operations but declares no rate-limit, timeout, or retry configuration

  Rule: AS-011Fix: Declare explicit rate-limit, timeout, and retry configuration for all network and execution tools. Implement exponential back-off and surface resource state to the calling agent.