autonomous-skill

This Bash module is not evidence of classic malware (no hardcoded secrets, no obfuscated payloads, no explicit exfiltration logic). However, it is a high-privilege orchestrator for an external autonomous agent and, in --network mode, it deliberately passes a “dangerously bypass approvals and sandbox” flag to codex. Because user-controlled task description and local task state are embedded directly into prompts, the primary risk is prompt-driven unintended actions by the agent, amplified by network/sandbox bypass. Treat this as a security-critical launcher: restrict templates/state trust, strongly limit or avoid --network unless codex sandboxing/approvals are verified, and ensure .autonomous/<task-name>/ is protected from tampering.

SUSPICIOUS. The skill’s purpose matches its capabilities, and the Codex CLI install source appears official, so this is not malware-like or a deceptive supply-chain lure. However, the skill materially increases risk by enabling unattended multi-session execution, optional sandbox/approval bypass, local state persistence, and possible external network interaction; that scope is high-risk for an AI agent even if coherent with the stated purpose.