Summary
A local security review of commit a68496dc9220c78c3daa13cfb2f18036f1a79494 identified five high-severity issues. They allow a malicious skill, or an HTTP MCP caller, to disclose host data or obtain an incorrect SAFE verdict.
Findings
-
Symlink scope escape — build_context follows symlinks outside the selected skill root and reads their contents. Those contents can reach reports and configured LLM analysis.
- Suggested fix: reject symlinks during discovery, or resolve every candidate path and require it to remain under the resolved scan root before reading. Apply the same rule to multi-skill and batch paths.
-
HTTP MCP local-path access — the HTTP scan_skill path forwards targets to local-path-capable input resolution, despite the README stating local paths are rejected over HTTP.
- Suggested fix: make transport context explicit; reject local paths and
file:// URLs for HTTP calls. Keep routable deployments behind authentication.
-
Codex CLI provider host reads — codex exec --sandbox read-only still allows model-initiated shell reads of absolute host paths. A hostile scanned prompt can induce reads despite a temporary CWD.
- Suggested fix: do not use a tool-enabled CLI to analyze hostile content unless it runs in a filesystem-isolated sandbox; otherwise use a provider/transport with tools fully disabled.
-
Fenced SKILL.md bypass — the static runner drops findings near fenced Markdown, including executable instructions in SKILL.md. A no-LLM scan of a fenced privileged command returned SAFE with no findings.
- Suggested fix: never treat fenced content in
SKILL.md as automatically benign; restrict example suppression to trusted fixtures or explicit metadata.
-
Oversized-file bypass — static and YARA analyzers silently skip files above the size cap, allowing payload padding to evade detection while static mode can still return SAFE.
- Suggested fix: chunk large files or mark scans with skipped executable content as incomplete/non-safe, with an explicit report limitation.
Validation
- Full test suite:
1257 passed (with project-configured skips/xfails).
- Local reproductions confirmed the symlink read, MCP local-path scan, Codex host-file read, fenced-instruction
SAFE result, and oversized-file SAFE result.
Please consider treating this as a coordinated security report if public discussion is not appropriate.
Detailed local scan artifact: report.md generated by Codex Security.
Summary
A local security review of commit
a68496dc9220c78c3daa13cfb2f18036f1a79494identified five high-severity issues. They allow a malicious skill, or an HTTP MCP caller, to disclose host data or obtain an incorrectSAFEverdict.Findings
Symlink scope escape —
build_contextfollows symlinks outside the selected skill root and reads their contents. Those contents can reach reports and configured LLM analysis.HTTP MCP local-path access — the HTTP
scan_skillpath forwards targets to local-path-capable input resolution, despite the README stating local paths are rejected over HTTP.file://URLs for HTTP calls. Keep routable deployments behind authentication.Codex CLI provider host reads —
codex exec --sandbox read-onlystill allows model-initiated shell reads of absolute host paths. A hostile scanned prompt can induce reads despite a temporary CWD.Fenced SKILL.md bypass — the static runner drops findings near fenced Markdown, including executable instructions in
SKILL.md. A no-LLM scan of a fenced privileged command returnedSAFEwith no findings.SKILL.mdas automatically benign; restrict example suppression to trusted fixtures or explicit metadata.Oversized-file bypass — static and YARA analyzers silently skip files above the size cap, allowing payload padding to evade detection while static mode can still return
SAFE.Validation
1257 passed(with project-configured skips/xfails).SAFEresult, and oversized-fileSAFEresult.Please consider treating this as a coordinated security report if public discussion is not appropriate.
Detailed local scan artifact:
report.mdgenerated by Codex Security.