Codex Security Model: What Code It Can Run And Where

Codex executes code on your behalf. Understanding the sandbox boundaries — and where they leak — is the difference between productivity and an outage.

10 min · Reviewed 2026

The agent can run code. That is the point and the risk

Most chatbots cannot touch your system. Codex can run shell commands, edit files, hit URLs, and start subprocesses. That is what makes it useful and dangerous. The security model is a layered set of constraints that try to keep the useful parts in and the catastrophic parts out.

The four boundary layers

Sandbox process — Codex Cloud runs in an OS-level sandbox; the CLI runs in your shell
Permission prompts — destructive operations should require human approval before execution
Network policy — outbound HTTP can be allowlisted by domain
Credential isolation — secrets injected at task start, never leaked into outputs

Surface	Process isolation	Network policy	Credential exposure
Codex Cloud	Strong (per-task container)	Configurable allowlist	Per-task secrets
Codex CLI	Your shell	Your machine's	Your env vars
IDE plugin	Your shell	Your machine's	Your env vars
GitHub action	GitHub runner	GitHub config	GitHub secrets

Common security mistakes

Using production credentials in a Codex CLI session
Allowlisting all outbound HTTP because configuration is hard
Auto-approving destructive commands because the prompts are annoying
Sharing AGENTS.md with secrets baked in
Connecting Codex to a VCS account with admin permissions on every repo

Applied exercise

Identify the highest-permission account Codex currently uses on your stack
Ask: does it need that level for daily work?
If not, downgrade — create a Codex-specific principal with least privilege
Keep the high-permission flow behind a human-only break-glass approval

The big idea: security is a defense in depth. Sandboxes, permissions, network policy, and credential isolation each catch what the others miss.

End-of-lesson check

8 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-codex-security-model-creators

What is the main idea of "Codex Security Model: What Code It Can Run And Where"?
1. Codex executes code on your behalf. Understanding the sandbox boundaries — and where they leak — is the difference between productivity and an outage.
2. Use AI as the final authority for the whole decision
3. Avoid checking the answer once it sounds polished
4. Focus only on speed instead of judgment
Which concept is most central to "Codex Security Model: What Code It Can Run And Where"?
1. permission model
2. sandbox
3. code execution
4. credential isolation
Which use of AI fits this topic best?
1. Let the AI decide what matters without your review
2. Use the answer before checking whether it fits the situation
3. Sandbox process — Codex Cloud runs in an OS-level sandbox; the CLI runs in your shell
4. Treat the AI output as automatically correct
What should a careful learner remember about "The CLI sees your laptop"?
1. Use AI to draft or organize ideas about sandbox, then verify before acting.
2. Skip the context so the tool can guess faster
3. Treat the output as private even after sharing it online
4. Use the answer without checking the source
You want to use AI after this lesson. What is the safest next step?
1. Act immediately because the AI answer is written clearly
2. Use AI for drafting and comparison, but verify before publishing or relying on it.
3. Hide uncertainty so the final answer looks cleaner
4. Use private or sensitive details before checking permission
How should AI output about sandbox be treated?
1. As proof that no other source is needed
2. As a replacement for context, consent, or expert review
3. As a draft or helper output that still needs human judgment and verification
4. As something that becomes correct when it sounds confident
Name one way to verify an AI answer about sandbox.
Which action would help you apply "Codex Security Model: What Code It Can Run And Where" responsibly?
1. Use the tool to avoid thinking through the tradeoff
2. Keep going even if the output conflicts with a trusted source
3. Treat the AI output as automatically correct
4. Permission prompts — destructive operations should require human approval before execution

← Back to interactive lesson

Tendril · Creators · Tools Literacy

Codex Security Model: What Code It Can Run And Where

Codex executes code on your behalf. Understanding the sandbox boundaries — and where they leak — is the difference between productivity and an outage.

10 min · Reviewed 2026

The agent can run code. That is the point and the risk

The four boundary layers

Sandbox process — Codex Cloud runs in an OS-level sandbox; the CLI runs in your shell
Permission prompts — destructive operations should require human approval before execution
Network policy — outbound HTTP can be allowlisted by domain
Credential isolation — secrets injected at task start, never leaked into outputs

Surface	Process isolation	Network policy	Credential exposure
Codex Cloud	Strong (per-task container)	Configurable allowlist	Per-task secrets
Codex CLI	Your shell	Your machine's	Your env vars
IDE plugin	Your shell	Your machine's	Your env vars
GitHub action	GitHub runner	GitHub config	GitHub secrets

Common security mistakes

Using production credentials in a Codex CLI session
Allowlisting all outbound HTTP because configuration is hard
Auto-approving destructive commands because the prompts are annoying
Sharing AGENTS.md with secrets baked in
Connecting Codex to a VCS account with admin permissions on every repo

Applied exercise

Identify the highest-permission account Codex currently uses on your stack
Ask: does it need that level for daily work?
If not, downgrade — create a Codex-specific principal with least privilege
Keep the high-permission flow behind a human-only break-glass approval

The big idea: security is a defense in depth. Sandboxes, permissions, network policy, and credential isolation each catch what the others miss.

End-of-lesson check

8 questions · take it digitally for instant feedback at tendril.neural-forge.io/learn/quiz/end-codex-security-model-creators

What is the main idea of "Codex Security Model: What Code It Can Run And Where"?
1. Codex executes code on your behalf. Understanding the sandbox boundaries — and where they leak — is the difference between productivity and an outage.
2. Use AI as the final authority for the whole decision
3. Avoid checking the answer once it sounds polished
4. Focus only on speed instead of judgment
Which concept is most central to "Codex Security Model: What Code It Can Run And Where"?
1. permission model
2. sandbox
3. code execution
4. credential isolation
Which use of AI fits this topic best?
1. Let the AI decide what matters without your review
2. Use the answer before checking whether it fits the situation
3. Sandbox process — Codex Cloud runs in an OS-level sandbox; the CLI runs in your shell
4. Treat the AI output as automatically correct
What should a careful learner remember about "The CLI sees your laptop"?
1. Use AI to draft or organize ideas about sandbox, then verify before acting.
2. Skip the context so the tool can guess faster
3. Treat the output as private even after sharing it online
4. Use the answer without checking the source
You want to use AI after this lesson. What is the safest next step?
1. Act immediately because the AI answer is written clearly
2. Use AI for drafting and comparison, but verify before publishing or relying on it.
3. Hide uncertainty so the final answer looks cleaner
4. Use private or sensitive details before checking permission
How should AI output about sandbox be treated?
1. As proof that no other source is needed
2. As a replacement for context, consent, or expert review
3. As a draft or helper output that still needs human judgment and verification
4. As something that becomes correct when it sounds confident
Name one way to verify an AI answer about sandbox.
Which action would help you apply "Codex Security Model: What Code It Can Run And Where" responsibly?
1. Use the tool to avoid thinking through the tradeoff
2. Keep going even if the output conflicts with a trusted source
3. Treat the AI output as automatically correct
4. Permission prompts — destructive operations should require human approval before execution

← Back to interactive lesson