A leash for your AI agent's inner penetration tester
This runtime layer gives Codex a structured, opt-in red-team workflow that stays out of your way until you explicitly enable it.

What it does
Codex Red Team Opt-In Mode is a Python runtime layer that adds a toggleable red-team workflow to OpenAI’s Codex agent. Normal coding and research tasks stay untouched unless you explicitly enable red-team mode via a command like /redteam full or 进入红队模式. Once active, it routes security tasks through structured domain cards and an evidence-gated engine instead of dumping a monolithic attack prompt into context.
The interesting bit
Rather than the usual jailbreak approach of stuffing offensive instructions into the system prompt, the project uses SKILL.md scope-not-instruct cards that declare boundaries, pivot hints, and required exit evidence. A five-phase engine drives progression, and a four-level feedback gate—pass, soft_fail, pivot, or blocked—decides whether the agent advances, retries, changes course, or halts for human review.
Key highlights
- Three explicit modes:
normal(default),redteam-light(targeted analysis/planning), andredteam-full(constrained workflow). - 34 domain-specific SKILL.md cards covering Web, Active Directory, Cloud, Kubernetes, mobile, crypto, and more.
- Regex-based router with fine-grained sub-routers per domain; routes tasks via
phase → router → pack → leafinstead of treating the requested method as the primary axis. - Session patcher with a two-tier refusal detector and JSONL session cleaner.
- Tool policy that prefers five practical classes—
WebFetch,Browser MCP,IDA MCP,JADX MCP, and the current AI agent—then falls back to local equivalents.
Caveats
- This is routing and governance infrastructure, not a ready-to-use attack platform: it manages context, adapters, and evidence gates, but ships no hardcoded exploits.
- Actual tool execution depends on your local MCP and tool inventory; if a required adapter is missing, the runtime blocks or pivots rather than faking results.
Verdict
Worth a look if you already use Codex for security work and want a structured, gated red-team workflow without polluting everyday coding. Skip it if you’re hunting for a push-button exploit framework—this is closer to an opinionated project manager for your agent’s dark side.
Frequently asked
- What is chAng-L19/codex-redteam-mode?
- This runtime layer gives Codex a structured, opt-in red-team workflow that stays out of your way until you explicitly enable it.
- Is codex-redteam-mode open source?
- Yes — chAng-L19/codex-redteam-mode is open source, released under the MIT license.
- What language is codex-redteam-mode written in?
- chAng-L19/codex-redteam-mode is primarily written in Python.
- How popular is codex-redteam-mode?
- chAng-L19/codex-redteam-mode has 513 stars on GitHub.
- Where can I find codex-redteam-mode?
- chAng-L19/codex-redteam-mode is on GitHub at https://github.com/chAng-L19/codex-redteam-mode.