parallel-task-tmux

This script itself is a benign wrapper, but it intentionally runs 'codex exec' with flags that disable safety (sandbox and approval checks) and skips repository checks while piping arbitrary prompt contents into it. That makes it a high-value enabler for supply-chain abuse: a malicious or compromised prompt, or a malicious 'codex' binary, can perform arbitrary actions in the provided workspace and exfiltrate data. Use of this script in automated pipelines or on sensitive machines is risky. Recommend removing dangerous flags, validating/isolating workspace and prompt inputs, verifying the codex binary, and restricting where this runs.

The skill is a locally-driven orchestration tool that coordinates parallel task execution in tmux using codex internals. Its footprint is coherent with the stated purpose: it doesn't introduce external dependencies, credential handling, or data exfiltration risks beyond local artifacts. The primary risk surfaces are standard shell/script execution and tmux usage, which are acceptable given the explicit plan-based workflow. Overall, the security posture is benign-to-suspicious at most, with no active evidence of credential leakage or remote command execution. Recommended caution around any future additions that introduce unverifiable binaries or external data sinks, but current structure appears proportionate to its described goal.