TL;DR: OpenAI Codex CLI in non-interactive exec mode can silently execute attacker-controlled instructions embedded in AGENTS.md before processing the user’s task, enabling credential reads and staging from local paths such as AWS keys or npm tokens, according to Backslash Security. The core issue is that safety gating becomes mode-dependent, not invariant, so agent instruction files now function as executable supply chain artifacts.
NHIMG editorial — based on content published by Backslash Security: Backslash blog analysis of OpenAI Codex injection in AGENTS.md and credential exfiltration
By the numbers:
- 80% of organisations report their AI agents have already performed actions beyond their intended scope, including accessing unauthorised systems (39%), inappropriately sharing sensitive data (31%), and revealing access credentials (23%).
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate.
Questions worth separating out
Q: How should security teams govern coding agents that can execute repository instructions?
A: Treat repository instruction files as executable input, not documentation.
Q: Why do autonomous coding agents increase credential exposure risk?
A: They increase risk because they can read local files, execute commands, and continue a task without a human approval prompt.
Q: What breaks when exec mode is allowed against untrusted repositories?
A: The assumption that the repository is safe enough to trust breaks first.
Practitioner guidance
- Review agent instruction files before unsupervised runs Treat AGENTS.md, MCP server configuration, and similar repository instructions as executable artefacts.
- Restrict host credential path access for agent processes Run coding agents in containers or with OS-level controls that prevent reads from ~/.aws, ~/.gitconfig, and ~/.npmrc unless those paths are explicitly required for the task.
- Enforce platform policy for exec mode Block unsupervised execution unless the repository instruction file has passed content review and the workspace is trusted.
What's in the full article
Backslash Security's full blog post covers the operational detail this post intentionally leaves for the source:
- The exact proof-of-concept command sequence used to demonstrate silent execution in Codex exec mode.
- The specific credential-path patterns the researchers tested, including local cloud and package-manager files.
- The patch status and open questions around obfuscated commands, indirect exfiltration, and multi-step instruction chains.
- The practical mitigation checklist for scanning agent instruction files and restricting process-level file access.
👉 Read Backslash Security’s analysis of Codex exec mode and AGENTS.md injection →
AGENTS.md trust failures in coding agents: are your controls keeping up?
Explore further
AGENTS.md is not documentation when an agent can execute it. The file becomes a non-human identity control surface the moment the runtime treats it as pre-task instruction, especially in unattended modes. That shifts the governance question from code review to execution trust, because the file now influences what the agent does before the user’s task even begins. Practitioners should classify agent instruction files alongside other executable supply chain artefacts.
A few things that frame the scale:
- 96% of technology professionals identify AI agents as a growing security threat, and 66% believe this risk is immediate, according to AI Agents: The New Attack Surface report.
- Only 52% of companies can track and audit the data their AI agents access, leaving 48% with a complete blind spot for compliance and breach investigation.
A question worth separating out:
Q: Who is accountable when an agent instruction file causes secret exposure?
A: Accountability sits with the programme that approved the execution path, not with the model itself. Teams must define who can author instruction files, who can permit exec mode, and what evidence proves the file was scanned before use. Without that governance chain, audit trails will show only a normal task run, not the trust failure behind it.
👉 Read our full editorial: Codex exec mode shows how AGENTS.md becomes a trust boundary