Codex CLI — agentic threat model
Codex CLI presents a high-impact but well-mitigated risk profile; while its 'Full Auto' mode and code execution capabilities could lead to severe local compromise, its sandboxed, network-disabled environment and granular approval modes significantly reduce the active threat vector.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.70 | |
| Self-Modification | 0.20 | |
| Dynamic Tool Use | 0.80 | |
| Persistent Memory | 0.20 | |
| Contextual Awareness | 0.70 | |
| Dynamic Identity | 0.10 | |
| Multi-Agent Interactions | 0.00 | |
| Non-Determinism | 0.60 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Utilizes OpenAI models (such as o4-mini) for code generation and reasoning. Primary threats include prompt injection, adversarial inputs (especially via multimodal screenshots/diagrams), and model-reprogramming to generate malicious code.
Operates on local source code and accepts multimodal inputs (text, screenshots, diagrams). The primary threat is data exposure or poisoning if malicious files/diagrams are introduced into the local workspace, though data remains local.
Orchestrates tasks across three approval modes (Suggest, Auto Edit, Full Auto). In Full Auto mode, the risk of tool misuse (unintended file modification or execution of destructive commands) is highly elevated.
Runs in a local terminal environment. Mitigates network-based threats by executing within a sandboxed, network-disabled environment, though sandbox escape remains a critical threat vector to the host system.
Not certain from the listing — there is no explicit mention of logging, telemetry, guardrails, or observability tools to monitor the agent's actions or detect anomalous behavior during execution.
Provides strong security controls through local-only execution, a network-disabled sandbox, and user-configurable approval gates (Suggest, Auto Edit, Full Auto) acting as a human-in-the-loop policy.
Not certain from the listing — the agent appears designed for standalone local developer use and does not indicate any multi-agent collaboration or marketplace integration.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).