upvote
Give enough usage, you can reconstruct an entire codebase via tool calls alone, and it'll be entirely undetectable because it's all done server side. Whatever grok's doing is just more blatant, but using opencode or whatever doesn't create a meaningful security boundary. It's like the meme of using cheetos as a lock.
reply
I agree with you, but Codex is open source.
reply
Is the server side open-source too, as gruez brought up in the sibling comment?

Technically they can still do potentially any- and everything undetected there; and for what it’s worth, even with a closed-source client bad behavior would get detected eventually through network inspection.

reply
Yeah. Not the Desktop App though.
reply
its an electron app you an inspect it
reply
> the next update

That's a major problem in its own right. Yes, not updating an XP SP1 RCE immediately is dangerous, but in the last couple decades I've seen far more damage inflicted from automatic updates than what I think the lack of them would have caused.

reply
I'm using my own agent, but i can't risk blocking the company account with it.....
reply
last time I checked, codex is still open source w Apache-2.0 license
reply