codex-swarm Security Report — Low Risk | ClawSafe

20 /100

codex-swarm

OpenAI Codex-native multi-agent swarm orchestration for parallel coding with git worktrees, tmux tracking, endorsement gates, native code review, integration merging, and webhook notifications.

A legitimate OpenAI Codex multi-agent orchestration skill. Network access to Telegram and webhooks is used for notifications but is only partially declared in SKILL.md. No credential theft, data exfiltration, or obfuscation detected.

Skill Namecodex-swarm

Duration63.0s

Enginepi

✓

Safe to install

Document the Telegram API integration explicitly in SKILL.md and remove or pin the optional config file sourcing pattern to avoid unexpected variable injection.

Findings 3 items

Severity	Finding	Location
Low	Telegram API integration not explicitly declared Doc Mismatch scripts/notify.sh makes curl requests to https://api.telegram.org/bot${TOKEN}/sendMessage using SWARM_TELEGRAM_BOT_TOKEN and SWARM_TELEGRAM_CHAT_ID. SKILL.md mentions 'webhook notifications' and 'Telegram notification' tables but does not enumerate the exact API endpoint or the token variables required. `curl -s "https://api.telegram.org/bot${SWARM_TELEGRAM_BOT_TOKEN}/sendMessage"` → Add a dedicated 'Telegram Setup' section in SKILL.md documenting the required environment variables and the notification mechanism.	`scripts/notify.sh:22`
Low	Optional config sourcing not documented Doc Mismatch Multiple scripts contain [ -f "$SWARM_DIR/config/swarm.conf" ] && source ... which would load arbitrary shell variables. The config file is not distributed in the package. This pattern could load unexpected values if a config file is later created. `[ -f "$SWARM_DIR/config/swarm.conf" ] && source "$SWARM_DIR/config/swarm.conf"` → Document the expected config variables or remove the optional sourcing and require explicit variable passing.	`scripts/notify.sh:8`
Info	Runner scripts written to logs directory with embedded prompt content Sensitive Access spawn-agent.sh writes a runner script to $SWARM_DIR/logs/${TMUX_SESSION}-run.sh containing the prompt content. If the logs directory is world-readable, prompt content could be exposed. The PROMPT_FILE path itself is not sanitized against path injection. `cat > "$RUNNER" << RUNEOF ... - < "$PROMPT_FILE" ... RUNEOF` → Ensure $SWARM_DIR/logs has restricted permissions (0700) and consider adding path validation for PROMPT_FILE.	`scripts/spawn-agent.sh:82`

Resource	Declared	Inferred	Status	Evidence
Shell	`WRITE`	`WRITE`	✓ Aligned	spawn-agent.sh:80-100 writes runner script; cleanup.sh kills tmux sessions
Filesystem	`WRITE`	`WRITE`	✓ Aligned	spawn-agent.sh:68-69 writes PROMPT_FILE to $SWARM_DIR/logs/
Network	`READ`	`WRITE`	✓ Aligned	notify.sh:22-27 uses curl POST to webhook URL and Telegram API — declared as 'we…
Environment	`NONE`	`READ`	✓ Aligned	notify.sh reads SWARM_TELEGRAM_BOT_TOKEN, SWARM_TELEGRAM_CHAT_ID, SWARM_WEBHOOK_…
Skill Invoke	`NONE`	`NONE`	—	No skill_invoke calls detected
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser access
Database	`NONE`	`NONE`	—	No database access

1 findings

🔗

Medium External URL 外部 URL

https://api.telegram.org/bot$

scripts/notify.sh:22

File Tree

10 files · 17.6 KB · 504 lines

Shell 8f · 417L Markdown 1f · 63L JSON 1f · 24L

├─ ▾ 📁 config

│ └─ 📋 duty-table.json JSON 24L · 601 B

├─ ▾ 📁 scripts

│ ├─ 🔧 check-agents.sh Shell 24L · 757 B

│ ├─ 🔧 cleanup.sh Shell 45L · 1.2 KB

│ ├─ 🔧 endorse-task.sh Shell 8L · 391 B

│ ├─ 🔧 integration-watcher.sh Shell 75L · 2.6 KB

│ ├─ 🔧 notify-on-complete.sh Shell 41L · 1.5 KB

│ ├─ 🔧 notify.sh Shell 36L · 1.0 KB

│ ├─ 🔧 spawn-agent.sh Shell 142L · 5.4 KB

│ └─ 🔧 spawn-batch.sh Shell 46L · 1.8 KB

└─ 📝 SKILL.md Markdown 63L · 2.4 KB

Security Positives

✓ Endorsement gate in spawn-agent.sh requires a pre-created approval file before spawning any agent, providing a manual safety check

✓ Cooldown mechanism (30s default) prevents rapid re-spawning of agents without re-endorsement

✓ All network calls are outbound notifications (POST to configured webhooks/Telegram) — no inbound C2 connections or unsolicited network behavior

✓ No base64, eval(), or obfuscated code patterns found across all 8 shell scripts

✓ No credential harvesting — SWARM_TELEGRAM_BOT_TOKEN is used only to send messages, not to exfiltrate tokens

✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive credential paths

✓ No supply chain risk — no package dependencies, no pip/npm install, no remote script download

✓ Legitimate use of subprocess for git operations (worktree, branch, merge), tmux session management, and codex CLI invocation — all directly relevant to the stated multi-agent orchestration purpose

Scan Report

Findings 3 items

File Tree

Security Positives