# Codex 'Auto-Review' Agent Runs Malware > Source: > Published: 2026-06-11 17:20:56+00:00 Threat Intelligence Table of Content # Codex 'Auto-review' Agent Runs Malware Malware risks from agent-based command approval modes, demonstrated on OpenAI Codex. [Context](#context) Across AI applications (Codex, Claude Code, etc.), tools have begun to encourage an ‘agent in the loop’ approach, in which a second agent reviews commands issued by the first, rather than requiring human oversight. While this approach promises to enable multi-agent workflows and large-scale orchestration, it falls victim to a well-known flaw of AI-based guardrails: the guardrail agent can be influenced by prompt injections, just as the primary agent requesting commands can. In this article, we demonstrate that OpenAI’s 'Approve-for-me' agent approves the execution of a malicious NPM install command with elevated privileges, even when the main Codex agent is operating under the influence of a single concealed line in a GitHub issue from an external contributor. This is not a security vulnerability. Vendors are offering the option to accept risk by delegating the decision about when to execute sensitive actions to an agent. As stated by OpenAI, “[Approve-for-me] is not a deterministic security guarantee… It can still make mistakes, especially in adversarial or unusual contexts”. Anthropic notes, “Auto mode reduces risk… but doesn't eliminate it entirely… The classifier may still allow some risky actions”. This article exemplifies a risk that is becoming increasingly pertinent as organizations move from adopting to operationalizing AI, including the use of semi-autonomous systems and always-on agents. [Attack Chain on Codex](#attack-chain-on-codex) [The user asks Codex for help triaging GitHub issues, using the 'Approve-for-me' command validation mode](#the-user-asks-codex-for-help-triaging-github-issues-using-the-approve-for-me-command-validation-mode)*When Codex wants to run a command that requires network or write access outside the Codex sandbox, the request is forwarded to the Approve-for-me agent for approval.*[One GitHub issue is from an external contributor and contains a prompt injection hidden in an HTML comment](#one-github-issue-is-from-an-external-contributor-and-contains-a-prompt-injection-hidden-in-an-html-comment)[Codex requests elevated permissions to run the hidden install command; the 'Approve-for-me' agent approves the escalation request](#codex-requests-elevated-permissions-to-run-the-hidden-install-command-the-approve-for-me-agent-approves-the-escalation-request)[Attacker-controlled code runs unsandboxed on the user’s machine](#attacker-controlled-code-runs-unsandboxed-on-the-user’s-machine)A post-install script in the NPM package runs immediately upon installation and executes with the user’s full privileges. [How Organizations Can Disable Agentic Auto Review in Claude and Codex](#how-organizations-can-disable-agentic-auto-review-in-claude-and-codex) [Claude: ](#claude) Organization Settings > Claude Code > Managed settings (settings.json) > Manage Add the following key: `permissions.disableAutoMode` set to `“disable”` . *Note: This setting was previously managed by a toggle in the admin settings interface, but the toggle is being deprecated on June 5th. If your organization relies on this toggle (or the toggle for ‘Bypass permissions mode on Claude Code Desktop’), you must update the Managed Settings file to maintain the effect.* [Codex:](#codex) Navigate to [https://chatgpt.com/codex/cloud/settings/policies](https://chatgpt.com/codex/cloud/settings/policies)Upload a `requirements.toml` file with the following key:`allowed_approval_reviewers = [“user”]` . *Omitting “auto_reviewer” from the list of approved reviewers blocks it for Codex Local users, which covers the Desktop App, the CLI, and the IDE extension (Codex Cloud operates under different restrictions).*