Security

Security Model

How Codex Commons validation, review status, risk labels, and revocation are intended to work.

PrivacyTerms

Meaning

What checked means

A checked plugin matched marketplace policy at a pinned source commit and has validation context available for inspection. It does not mean the plugin is guaranteed safe.

Review

Automated vs maintainer reviewed

Automated
automated
Maintainer reviewed
reviewed
Awaiting review
awaiting review

Automated validation is separate from maintainer approval.

Risk

Risk labels

Risk labels should describe actual behavior: network access, filesystem access, command execution, auth requirements, external mutations, telemetry, scanner coverage, and update changes.

Coverage

Scanner coverage

Validation may use manifest checks, Semgrep, plugin-scanner with Cisco coverage, ClamAV malware evidence, npm audit, OSV Scanner, OpenSSF Scorecard, Gitleaks, SBOM generation, license policy, provenance checks, MCP fingerprints, Docker sandbox smoke checks, and diff checks. Missing strict coverage blocks publication.

External evidence

Plugin Scanner

Codex Commons records plugin-scanner score, grade, max severity, and findings as external evidence. It informs review and auto-publication, but Codex Commons policy remains the source of marketplace decisions.

Malware

Hard blocker

Malware scanner findings block publication and maintainer approval cannot override them. Canary tests use the harmless EICAR anti-malware test file instead of real malware samples.

Supply chain

Dependency evidence

Runtime dependencies are checked separately from plugin source. Remote MCP and HTTP API dependencies need verified source/provenance; downloadable dependencies need pinned versions, lockfiles, or full git SHAs.

Audit

Public transparency log

The public audit log shows sanitized submission status, risk, hard/review/advisory blockers, scanner health, dependency counts, and review events. Raw scanner output and secret values are not public.

Review

Maintainer dashboard

Maintainers use a private review queue for submissions that need action. Hard blockers cannot be approved; review blockers need a written reason before approval.

Remote services

Source-reviewed vs endpoint-only

A reachable endpoint only proves that something answered without user secrets. Source-reviewed means Codex Commons has source/provenance metadata tied to a pinned commit or version.

Moderation

Quarantine and revocation

Maintainers can quarantine or revoke listings for suspicious behavior, misleading metadata, unavailable source, broken validation context, dependency risk, or policy violations. Revoked listings are not installable recommendations.

Before install

What users should inspect

Review the source repository, pinned commit, plugin path, manifest, risk labels, validation report, review history, and any remote service privacy or terms links before installing.