Use when user asks to leverage codex, gpt-5, or gpt-5.1 to implement something (usually implement a plan or feature designed by Claude). Provides non-interac...
Security Analysis
medium confidenceThe skill's stated purpose (automating code tasks via the Codex CLI) matches its instructions, but the runtime guidance explicitly encourages bypassing prompts/sandboxes and granting broad filesystem/network rights — a risky combination given the skill's unknown origin and lack of install provenance.
The name/description match the SKILL.md: it is a Codex CLI operator that automates coding tasks (worktree setup, PR flow, editing files). Requiring tmux/git/npm-style installs in the instructions aligns with that purpose. However the skill's stated goal of 'hands-off task execution without approval prompts' and recommended flags that grant 'danger-full-access' exceed what a neutral helper usually needs and deserve scrutiny.
The instructions direct the agent to run codex with flags that auto-approve file edits (--full-auto / -s workspace-write), skip prompts and sandboxing (--dangerously-bypass-approvals-and-sandbox), and enable full network/system access (-s danger-full-access). They also recommend running package managers (pnpm/npm/pip), creating worktrees, writing logs in /tmp, and using --skip-git-repo-check. This broad read/write/network scope and explicit guidance to bypass safety controls means the agent could modify repository content, install arbitrary dependencies, and access network resources without additional confirmations.
There is no install spec — the skill is instruction-only. That lowers install-time risk (nothing automatically downloaded or written by the registry). The SKILL.md suggests how to install the Codex CLI (npm or brew) but the skill itself doesn't perform installs.
The skill declares no required environment variables or credentials, which is appropriate for a CLI wrapper. It does reference a runtime cap variable (PI_BASH_MAX_OUTPUT_CHARS) and expects access to the workspace and /tmp; these are plausible. Still, the instructions encourage enabling network/system access and running package installs which could pull remote code — the absence of credential requests does not eliminate the risk of exfiltration or remote dependency execution.
The skill does not request 'always:true' (good), but it explicitly encourages non-interactive, auto-approved execution modes and long-lived background sessions (poll-and-extend up to 12 hours). Combined with autonomous invocation being permitted by platform defaults, this creates a higher blast radius: the agent could be given the ability to run long-running tasks that modify files and use the network without per-action confirmation.
Guidance
This skill is coherent for automating development tasks, but it instructs the agent to run Codex in modes that auto-approve edits and bypass sandboxes/prompts. Before installing or using it: (1) verify the Codex CLI binary and its provenance (npm/brew package author and integrity); (2) only run this skill in isolated/disposable environments or containers (no access to secret-filled repos or production systems); (3) avoid the --dangerously-bypass-approvals-and-sandbox and 'danger-full-access' flags unless you fully trust the agent and have network/filesystem isolation; (4) prefer read-only or interactive modes for untrusted code; (5) audit any commits/PRs the agent creates and restrict network access during runs; (6) request source/homepage/maintainer info from the publisher — lack of a homepage and unknown source increases risk. If you cannot accept those mitigations, treat this skill as untrusted.
Latest Release
v1.0.0
Initial publish: Codex CLI agent skill for non-interactive coding tasks
More by @feiskyer
Published by @feiskyer on ClawHub
