Lesson 483 of 2116
Codex Security Model: What Code It Can Run And Where
Codex executes code on your behalf. Understanding the sandbox boundaries — and where they leak — is the difference between productivity and an outage.
Lesson map
What this lesson covers
Learning path
The main moves in order
- 1The agent can run code. That is the point and the risk
- 2sandbox
- 3permission model
- 4code execution
Concept cluster
Terms to connect while reading
Section 1
The agent can run code. That is the point and the risk
Most chatbots cannot touch your system. Codex can run shell commands, edit files, hit URLs, and start subprocesses. That is what makes it useful and dangerous. The security model is a layered set of constraints that try to keep the useful parts in and the catastrophic parts out.
The four boundary layers
- 1Sandbox process — Codex Cloud runs in an OS-level sandbox; the CLI runs in your shell
- 2Permission prompts — destructive operations should require human approval before execution
- 3Network policy — outbound HTTP can be allowlisted by domain
- 4Credential isolation — secrets injected at task start, never leaked into outputs
Compare the options
| Surface | Process isolation | Network policy | Credential exposure |
|---|---|---|---|
| Codex Cloud | Strong (per-task container) | Configurable allowlist | Per-task secrets |
| Codex CLI | Your shell | Your machine's | Your env vars |
| IDE plugin | Your shell | Your machine's | Your env vars |
| GitHub action | GitHub runner | GitHub config | GitHub secrets |
Common security mistakes
- Using production credentials in a Codex CLI session
- Allowlisting all outbound HTTP because configuration is hard
- Auto-approving destructive commands because the prompts are annoying
- Sharing AGENTS.md with secrets baked in
- Connecting Codex to a VCS account with admin permissions on every repo
Applied exercise
- 1Identify the highest-permission account Codex currently uses on your stack
- 2Ask: does it need that level for daily work?
- 3If not, downgrade — create a Codex-specific principal with least privilege
- 4Keep the high-permission flow behind a human-only break-glass approval
Key terms in this lesson
The big idea: security is a defense in depth. Sandboxes, permissions, network policy, and credential isolation each catch what the others miss.
End-of-lesson quiz
Check what stuck
15 questions · Score saves to your progress.
Tutor
Curious about “Codex Security Model: What Code It Can Run And Where”?
Ask anything about this lesson. I’ll answer using just what you’re reading — short, friendly, grounded.
Progress saved locally in this browser. Sign in to sync across devices.
Related lessons
Keep going
Creators · 9 min
Citations And Source Verification: Perplexity's Biggest Win
Citations are the headline feature, but they only deliver if you actually click them. The verification habit is the skill — not the citation list.
Creators · 8 min
Sharing Perplexity Threads: Privacy And Accuracy
Sharable threads make Perplexity feel like a publishing tool. They are — but every share is a public record of your research and its mistakes.
Creators · 10 min
When Perplexity Hallucinates: Pattern-Spotting And Recovery
Perplexity hallucinates differently than ChatGPT. Recognizing those specific failure modes is the difference between catching them and embedding them in your work.