We checked 6 of 24 files worth caring about.
REPO-ID · openai/codexSOURCE · LIVE EVIDENCETRUST SCORE · 59/100CREATED BY · Christo + Nova
Pre-install repo check
Check the repo before it touches your machine.
Paste a public GitHub repo. Get a trust read on install files, MCP and agent surfaces, maintainer signals, dependency clues, risky paths, and the first thing to inspect before you run anything.
© Christo 2026 — Created by Christo and Nova
01Checking the GitHub URL02Reading the repo as untrusted data03Finding install and agent surfaces04Building the trust dossier
Score 59/10041 risk · 26 sure · 25 coverage
Install or hold off?
Be careful
Read this before the repo touches your machine.
Not enough of the repo was visible, so this is not getting a safe label yet.. openai/codex is mostly Rust, with codex-rs/ carrying the visible weight. Start with review the automation before running it before cloning it into a real workspace. Groq also checked the evidence and called it caution at 0% sure, but it did not show enough to override the built-in engine.
Groq second lookcaution · 0% sure · agent
Proceed with caution: verify the integrity of the release binaries (e.g., checksum), run them in a sandboxed environment, and review the code paths that invoke external tools or network calls. Ensure that any agent runtime is configured with the minimal required permissions. Agent fit: 80/100, The repository contains .codex/skills and .codex/agents directories, along with a codex-cli package and Rust agent code, indicating it is designed for agent tooling.
Executable artifact is present
4 executable release artifacts appeared. That deserves review, but release binaries alone are not proof the repo is …
01Clone
Check who owns it. Then check whether the README matches the code.
Owner, maintainer and repo signals show up here first.
02Install
Install scripts are where a lot of bad repos get their first shot.
Setup files decide what gets onto your machine first.
03Build
Executable artifact is present
openai/codex/releases — codex-aarch64-pc-windows-msvc.exe
04Run
Shell, network and filesystem access are where risk gets real.
Shell or network access is where risk stops being theoretical.
05Persist
Look for anything trying to stick around after setup finishes.
This is where anything sticky or persistent would show up.
Executable artifact is present
4 executable release artifacts appeared. That deserves review, but release binaries alone are not proof the repo is unsafe.
- openai/codex/releases — codex-aarch64-pc-windows-msvc.exe
- openai/codex/releases — codex-app-server-aarch64-pc-windows-msvc.exe
- openai/codex/releases — codex-app-server-x86_64-pc-windows-msvc.exe
Commit map
Open commit mapSee the big turns, not the commit soup.
The map cuts noisy history down to the moments that changed the repo. Useful when something looks clean now and you want to know how it got there.
Repo verdict
Would you trust this on your machine?
openai/codex is mostly a Rust repo, with the visible weight around codex-rs, .github, root, .codex. The scan found 8 install or runtime files, agent or MCP-looking files, and docs are visible, tests are visible, safety files are labeled. Read this before installing it. Do not treat it as permission to run the repo.
This check uses public GitHub data, repo files and recent commits. It treats the repo like it might be hostile. It never installs, imports or runs the code.
Checked before you install it or hand it to an agent.
.devcontainer/Dockerfile · .devcontainer/codex-install/package.json · codex-cli/package.json
Candidate files: 24 · Fetched files: 6 · Scanned bytes: 14828 · 18 high-signal files were not fetched in the bounded scan.
Top public contributor: @bolinfest (892 commits).
Default branch: main · visibility: public.
11K forks · 79K watchers · 3,374 open issues.
2026-04-30 · prerelease
No repo topics came back in metadata.
GitHub size: 416K KB · issues on.
Coverage 25/100 · risk 41/100 · 1 claims with receipts.
Why it got this call
The scanner has to show its work.
Not enough of the repo was visible, so this is not getting a safe label yet.
Built-in engine. This is the verdict currently driving the page.
High risk means the scan found something worth stopping for, not just a weird file name.
This shows how much the scanner actually got to read. Low score means first pass, not final answer.
caution on agent; agent fit 80/100.
This is how much of the install, workflow and script surface made it into the scan.
Install surface69
The bounded scan did not find a clear install surface break.
Runtime execution surface73
The bounded scan did not find a clear runtime execution surface break.
Release provenance67
The bounded scan did not find a clear release provenance break.
Dependency exposure75
The bounded scan did not find a clear dependency exposure break.
Maintainer continuity65
The bounded scan did not find a clear maintainer continuity break.
CI/build permissions67
The bounded scan did not find a clear ci/build permissions break.
Inspectability / opacity55
4 executable release artifacts appeared. That deserves review, but release binaries alone are not proof the repo is unsafe.
- executable-artifact: Executable artifact is present
Install path
Where things can go wrong during setup.
Primary install entry point appears to be package.json.
Receipts
If the scanner makes a claim, it has to point at a file.
executable-artifactinspectability-opacity
Executable artifact is present
4 executable release artifacts appeared. That deserves review, but release binaries alone are not proof the repo is unsafe.
Executable artifacts are higher risk than inspectable script/library source because users cannot quickly verify behavior before running them.watch76% sure
openai/codex/releasescodex-aarch64-pc-windows-msvc.exeopenai/codex/releasescodex-app-server-aarch64-pc-windows-msvc.exeopenai/codex/releasescodex-app-server-x86_64-pc-windows-msvc.exeopenai/codex/releasescodex-command-runner-aarch64-pc-windows-msvc.exe
Rulebook
The scanner rules are here so you can call bullshit if needed.
Install hook executes code
package.json scripts.preinstall/install/postinstall/prepare contains executable commands
Install-time execution runs before most users inspect behavior carefully.Remote download piped to shell
curl/wget download is piped directly into bash/sh
Remote code executes immediately with minimal review opportunity.Install flow requests elevated privileges
install-related file contains sudo or direct system-profile writes
Privilege elevation expands blast radius beyond the repo workspace.Workflow can write back to GitHub
workflow permissions include write-all or explicit write scopes, or uses pull_request_target
Write-capable CI can change code, releases, or packages if compromised or misconfigured.Install flow persists changes outside repo
script modifies shell profiles, startup files, or system paths
Persistence survives the first run and changes future machine behavior.Encoded or obfuscated execution path
base64 decode plus exec/eval/shell pattern appears in install/runtime-sensitive files
Encoded execution reduces inspectability and hides real behavior.Repo text explicitly signals hostile intent
repo name, description, or README uses terms like malware, stealer, grabber, keylogger, or similar hostile language without a benign research context
Open hostile-intent language is a direct trust break even before deeper execution-path review.Repo text describes credential or token theft
repo text couples theft verbs with tokens, credentials, passwords, cookies, wallets, sessions, or similar sensitive targets
Theft language aimed at sensitive material is a direct hostile-behavior signal.Skill or prompt text asks for hostile instruction override or exfiltration
skill/prompt/instruction text contains override language plus explicit secret theft, exfiltration, or destructive execution cues
Malicious skill text can redirect an agent or operator into credential theft, prompt hijacking, or destructive local actions even when install paths look clean.Opaque artifact dominates visible tree
large binary blobs or large minified assets appear without enough surrounding source context
Opaque artifacts reduce a user's ability to verify what will actually run.Maintainer continuity is concentrated
one contributor dominates visible contribution counts
High bus-factor concentration increases continuity risk and weakens trust transfer.Release provenance is weak in visible evidence
public releases exist but no visible workflow/build provenance is found in bounded scan
Source-to-release continuity is harder to verify when build steps are not publicly visible.New account shipped a repo immediately
owner account and repository were created close together, with a very young repo age
Fresh account plus immediate repository creation is a high-signal supply-chain suspicion pattern when trust evidence is otherwise thin.Release exists on a one-commit repo
public release exists while the bounded commit sample shows a single commit
A release repo with almost no history gives users little provenance to inspect before downloading artifacts.Executable artifact is present in source or releases
repo tree or release assets include executable/binary artifacts while the repo presents as installable code
Executables are harder to inspect than scripts or source and deserve heavier suspicion before local execution.Dependency pinning is not obvious
manifest exists without an obvious lockfile in the bounded scan
Unpinned dependency resolution makes installs less reproducible.File risk map
Where trust pressure gathers.
Use the map to find dense areas, gateway files, and places where install or agent risk is likely to concentrate.
The files worth reading before install.
01
README and public promise
Front door check
openai/codex says: "Lightweight coding agent that runs in your terminal" Start here, because a repo that asks for trust should explain what it does before asking you to install anything.
02
Directory weight
Where the code gathers
The heaviest areas are codex-rs (724), .github (62), root (22), .codex (19), .devcontainer (11). If something risky hides in plain sight, it usually hides near the areas with the most gravity.
03
Manifests, scripts, containers
Install path
These files shape what happens before the project runs. Read them before copying an install command, especially when the repo exposes CLIs, containers, workflow files, or scripts.
04
Tests and repeatable checks
Verification signs
Test or spec paths are visible. That gives you a safer way to inspect behavior before trusting a repo with local execution.
05
Auth, secrets, policy, MCP
Permission surface
Security, auth, policy, secret, sandbox or permission files show up in the tree. Read those before wiring this into an agent or your machine.
06
Tools, prompts, skills, servers
Agent and MCP scan
This repo has agent-shaped paths. Before installing it as an MCP server, skill, plugin, or CLI, inspect what tools it exposes and what environment variables it expects.
How the repo earned its current shape.
Public promise
What the repo says it doesopenai/codex first earns or loses trust through README, license, docs, and root manifests. Read those before source code.
README.md.devcontainer/Dockerfilecodex-cli/package.jsonCode weight
Where the repo got denseDirectory weight shows where review time should go first. Big areas are not always risky, but they are rarely irrelevant.
codex-rs/Cargo.tomlLICENSESECURITY.md.devcontainer/codex-install/package.jsonTrust boundary
Safety surfaces are visibleSecurity-sensitive paths are visible. They deserve review before tokens, tools, or local execution enter the picture.
SECURITY.md.github/workflows/blob-size-policy.ymlRecent motion
Where maintainers touched it latelyRecent commits are clues, not proof of intent. They tell you where the repo is moving right now.
feat: Add workspace plugin sharing APIs (#20278)ci: increase Windows release workflow timeouts (#20343)Add persisted hook enablement state (#19840)permissions: expose active profile metadata (#20095)codex-rs
724 visible files; samples: codex-rs/.cargo/audit.toml, codex-rs/.cargo/config.toml
95.github
62 visible files; samples: .github/CODEOWNERS, .github/ISSUE_TEMPLATE/1-codex-app.yml
47root
22 visible files; samples: .bazelignore, .bazelrc
43.codex
19 visible files; samples: .codex/skills/babysit-pr/SKILL.md, .codex/skills/babysit-pr/agents/openai.yaml
42Repeatable checks
Test/spec patterns are visible.
62Trust boundary
Auth/security/policy/secret-like paths were found.
81First file to read
README.md: Explains the front-door contract for humans scanning the repository.
70Recent movement
Recent commits tell you where to look next.
- 2026-04-30
feat: Add workspace plugin sharing APIs (#20278)
Recent public commit signal from openai/codex. Commit messages are used as strata labels, not as proof of architectural intent.
Use this layer as a starting clue, then inspect the linked files and pull requests before making conclusions.README.md.devcontainer/Dockerfilecodex-cli/package.json - 2026-04-30
ci: increase Windows release workflow timeouts (#20343)
Recent public commit signal from openai/codex. Commit messages are used as strata labels, not as proof of architectural intent.
Use this layer as a starting clue, then inspect the linked files and pull requests before making conclusions..devcontainer/Dockerfilecodex-cli/package.jsoncodex-rs/Cargo.toml - 2026-04-30
Add persisted hook enablement state (#19840)
Recent public commit signal from openai/codex. Commit messages are used as strata labels, not as proof of architectural intent.
Use this layer as a starting clue, then inspect the linked files and pull requests before making conclusions.codex-cli/package.jsoncodex-rs/Cargo.tomlLICENSE - 2026-04-30
permissions: expose active profile metadata (#20095)
Recent public commit signal from openai/codex. Commit messages are used as strata labels, not as proof of architectural intent.
Use this layer as a starting clue, then inspect the linked files and pull requests before making conclusions.codex-rs/Cargo.tomlLICENSESECURITY.md - 2026-04-30
[plugins] Allow MSFT curated plugins in tool_suggest (#20304)
Recent public commit signal from openai/codex. Commit messages are used as strata labels, not as proof of architectural intent.
Use this layer as a starting clue, then inspect the linked files and pull requests before making conclusions.LICENSESECURITY.md.devcontainer/codex-install/package.json
Reasons to slow down before running it.
Executable artifact is present
openai/codex/releases — codex-aarch64-pc-windows-msvc.exe
Prefer source builds in a sandbox. Trust binaries only with reproducible build instructions, signatures, and strong maintainer provenance.Evidence coverage is incomplete
6 of 24 high-signal files were fetched in the bounded scan.
Treat this report as a first pass and review the missing install, workflow, or script files before trusting the repo.People behind the repo
Maintainers leave fingerprints too.
Code trust is not only files. A repo with visible, active people feels different from a dump with no one home.
lead@bolinfest
892 contributions
lead@jif-oai
801 contributions
lead@aibrahim-oai
512 contributions
active@pakrym-oai
415 contributions
active@etraut-openai
333 contributions
active@dylan-hurd-oai
204 contributions
active@nornagon-openai
199 contributions
active@dependabot[bot]
126 contributions
active@owenlin0
122 contributions
active@viyatb-oai
107 contributions
active@charley-oai
103 contributions
active@iceweasel-oai
102 contributions
Don't trust the stars at face value.
A star count is easy to quote and easy to overread. The better question is whether the repo shows signs of real use once you look past the headline number.
Forks point to adoption. Watchers point to commitment. Issues point to real user pressure. When those stay too low, the star number loses weight fast.
Healthy projects often sit between 10% and 25%. A huge star count with tiny fork volume is a bad smell.
Organic projects usually keep more watchers than manipulated ones. Near-zero watchers means low conviction.
Real users complain, ask questions, and break things. Bots don't. This is a rough usage signal, not proof.
Pulling the live GitHub counts for this repo now.
VirusTotal reputation
Run a VirusTotal check for peace of mind.
Fire a live check when you want one more layer before you download or run anything from the repo.
Optional check
Run the scan when you want the extra signal.
Press the button to check this repo's public hosts and release links against VirusTotal.
If you only have thirty minutes, check these first.
Read the promise
Start with the README and docs. Does the repo plainly say what it will do on your machine?
README.mdCheck the install path
Open the files a package manager, shell or container runtime touches first.
.devcontainer/Dockerfile.devcontainer/codex-install/package.jsoncodex-cli/package.jsoncodex-rs/Cargo.tomlcodex-rs/agent-graph-store/Cargo.tomlcodex-rs/agent-identity/Cargo.tomlcodex-rs/analytics/Cargo.tomlcodex-rs/ansi-escape/Cargo.tomlCheck agent permissions
Trace MCP, tool, prompt, permission, sandbox and execution paths before connecting this repo to an assistant.
codex-rs/app-server-protocol/schema/json/McpServerElicitationRequestParams.jsoncodex-rs/app-server-protocol/schema/json/McpServerElicitationRequestResponse.jsoncodex-rs/app-server-protocol/schema/json/v2/ListMcpServerStatusParams.jsoncodex-rs/app-server-protocol/schema/json/v2/ListMcpServerStatusResponse.jsoncodex-rs/app-server-protocol/schema/json/v2/McpResourceReadParams.jsoncodex-rs/app-server-protocol/schema/json/v2/McpResourceReadResponse.jsonPick the first safe move
Run or read the smallest existing check before trusting local execution.
codex-rs/.cargo/audit.tomlcodex-rs/.cargo/config.tomlcodex-rs/.config/nextest.tomlcodex-rs/.github/workflows/cargo-audit.ymlIf you don't have time
Open the agent audit pageLet your agent do the boring first pass.
Paste the repo link, copy the review prompt and let your agent skim it. Then come back here for the files worth checking with your own eyes.