CapitalGuard

CapitalGuard Observatory · Tool record

OpenAI Codex

OpenAI · coding agent

OpenAI Codex can work locally or in cloud environments with repository files, commands, patches, network controls, approvals, plugins, and connected developer workflows.

Public-Control Score

85

Extensive public control coverage

Measures publicly documented control coverage as of the review date. It is not a breach rate, penetration test, endorsement, or guarantee of safety.

Scored dimensions

The documented control surface.

This record is reviewed against the same five-dimension rubric used across every scored product.

Read Methodology

Access and scope transparency

18/20

Official material provides extensive operational detail for access and scope transparency.

Data and retention controls

15/20

Official material names concrete controls and meaningful boundaries for data and retention controls.

Connector and permission controls

17/20

Official material provides extensive operational detail for connector and permission controls.

Action, approval, and isolation controls

19/20

Official material provides extensive operational detail for action, approval, and isolation controls.

Audit and administrative evidence

16/20

Official material names concrete controls and meaningful boundaries for audit and administrative evidence.

Documented access points

1

local repositories and worktrees

2

commands, patches, tests, and tools

3

cloud repositories, plugins, MCP servers, and network access

Settings to verify now

1

Sandbox and approval profile

2

Writable roots and network policy

3

Repository, plugin, MCP, and cloud connections

Linked security signals

Version checks that should not wait.

CVE-2025-59532 · high

Codex workspace sandbox-boundary bypass

Codex CLI 0.2.0 through 0.38.0; affected IDE extension releases before 0.4.12.

Use Codex CLI 0.39.0 or later and IDE extension 0.4.12 or later, then verify the effective writable root before sensitive work.

CGO-CHANGE-2026-06-09 · informational

GitHub adds security validation for third-party coding agents

Supported GitHub agent workflows; coverage depends on repository and agent settings.

Keep the validation enabled, but retain branch protection, review, and least-privilege controls around agent-generated changes.

CGO-RESEARCH-2026-05 · informational

AgentSecBench formalizes three enforceable agent-security boundaries

Agentic systems that combine untrusted content, private context, and action-capable tools.

Project trusted provenance, restrict capabilities before generation, and validate outputs before execution.

Primary sources

Inspect the evidence directly.