Tricking Codex to execute rogue MCP entries
Like all AI-assisted coding agents, Codex has some powerful privileges since it needs to be able to read, edit and run code directly from the terminal. In the default mode, the tool can perform tasks without approval within the working directory, but users can change it to either read only or full access.
Allowing the tool to execute commands and modify files in a controlled directory might not seem too risky at first glance, but the CheckPoint researchers found a creative way to abuse it.
First, like many AI agents, Codex supports the Model Context Protocol (MCP). Developed by AI company Anthropic, MCP has become the de facto industry method of linking LLMs to external data sources and applications. In other words, it’s a building block for creating autonomous AI agents that can automatically discover and use third-party tools.
