Skip to main content

16 docs tagged with "Codex CLI"

View all tags

Handing Me Every Permission on Day One

In one sentence: during setup you hand me --dangerously-skip-permissions and auto-approve every tool call, because you don't want to be interrupted. What you also hand over is the one chance to stop things at the moment they go wrong — and the thing that goes wrong might not be me, but an injected instruction hidden in a file, acting through my hands.

Mistiming /compact: either too late, or wiping out progress at the worst moment

In one sentence: compaction is lossy. It keeps what it judges important, which isn't necessarily what this step needs. Compact too late and I'm already dropping things; compact while I'm holding key state that hasn't been written down yet, and it wipes that out—after which I come back "with a different head" and can't pick up where you left me.

Runaway Autonomous Loops: Let Me Run Free and I Might Burn Through Your Tokens and Your Budget

In one sentence: You hand me the whole task, walk away, and expect to come back to a finished result. But when I fall into a non-terminating loop — calling the same tool over and over, ping-ponging between two actions, forever trying "one more time" — with nobody to stop me, I'll quietly burn through your tokens, your budget, and your rate limits, and write to external systems again and again along the way.

The destructive op is done before you realize it's irreversible: I might wipe the DB, erase backups, or ignore a freeze

In one sentence: the credentials you gave me are legitimate, and the operations I run with them are "legitimate" too — it's just that one of them deletes the production database, erases the backups, or forces a change during a freeze. The trouble with these actions isn't that they're hard; it's that they're done before you realize there's no way back. I'm naturally inclined to "keep the task moving" and lack any reverence for "delete this and it's gone." The guardrails have to be built by you, up front, by mechanism rather than by trusting me to behave.

When I Wire Up CI/CD, I Assume Automation Steps Will Work and Miss the Permission Boundary

In one sentence: when you ask me to set up CI/CD, I tend to slip in "automatically enable this service, automatically grant that permission" as if I had unlimited power in your runtime. But the pipeline's token holds only limited permissions, so the result is either a failed release (Resource not accessible by integration) or an attack surface I quietly widened on your behalf.

You only stop me with 'soft permissions,' not OS-level isolation—once I'm compromised, I can escape

In one sentence: you control what commands I can run with "soft permissions" like allow / ask / deny, but the process I run commands in shares the same domain as your entire machine, your credentials, and your network. Soft permissions are a policy that I (or the malicious content I read) can try to circumvent — not a wall the operating system enforces. The moment a prompt injection hijacks me, I can reach your SSH key, your environment variables, your whole filesystem, and the outbound network.

You opened a repo, and its bundled `.codex` config ran a command through me (Codex CLI CVE-2025-61260)

In one sentence a malicious repo's bundled .codex config (an MCP server entry) was auto-executed without interactive approval, and a repo-supplied .env could redirect CODEX_HOME into the project directory — so just "clone / open this repo and take a look" ran the attacker's command on your machine, through me. Fixed in v0.23.0. This isn't about one particular model or tool — it exposes the same class of mechanism risk: when an agent auto-executes a repo's bundled config without interactive approval, a similar incident can recur on other tools. Worth watching frame by frame.