Audit a repo you don't trust yet starter
You cloned something and want Codex to explain it before anything in it gets a chance to run.
-
Pin the sandbox to
read-onlyfor the run. It's the mode where Codex can look but not touch — no writes, no network.codex exec \ --sandbox read-only \ "Map this repo: entry points, where it talks to the network, anything that runs at install time." -
When you do want writes,
workspace-writescopes them to the working directory rather than the whole filesystem.codex --sandbox workspace-write "Fix the failing tests."
The three modes are read-only, workspace-write, and danger-full-access — and the third is named that way on purpose. Reaching for it because a tool call got blocked is how a supply-chain payload in a postinstall script gets its wish.