Codex

AdvisoryAudited by Static analysis on May 20, 2026.

Overview

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Findings (8)

critical

suspicious.dangerous_exec

Location: dist/client-BCJaLwdZ.js:69
Finding: Shell command execution detected (child_process).
Evidence: return spawn(invocation.command, invocation.args, {

critical

suspicious.dangerous_exec

Location: dist/node-cli-sessions-douLgfcf.js:915
Finding: Shell command execution detected (child_process).
Evidence: const child = spawn(invocation.command, invocation.args, {

critical

suspicious.exposed_secret_literal

Location: dist/config-B5rU0vP3.js:125
Finding: File appears to expose a hardcoded API secret or token.
Evidence: const authToken = [REDACTED](config.authToken);

critical

suspicious.exposed_secret_literal

Location: dist/provider-catalog.js:73
Finding: File appears to expose a hardcoded API secret or token.
Evidence: apiKey: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: dist/provider-discovery.js:27
Finding: File appears to expose a hardcoded API secret or token.
Evidence: apiKey: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: dist/provider.js:56
Finding: File appears to expose a hardcoded API secret or token.
Evidence: apiKey: [REDACTED],

critical

suspicious.exposed_secret_literal

Location: dist/request-BLCZjckr.js:51
Finding: File appears to expose a hardcoded API secret or token.
Evidence: const authToken = [REDACTED] ?? "";

critical

suspicious.exposed_secret_literal

Location: dist/shared-client-DWgKldR5.js:125
Finding: File appears to expose a hardcoded API secret or token.
Evidence: const apiKey = [REDACTED](resolveCodexAppServerSpawnEnv(params.startOptions, params.baseEnv ?? process.env, params.platform ?? process.platform), CODEX_APP_SERV...