← all repositories
chAng-L19/codex-redteam-mode

A leash for your AI agent's inner penetration tester

This runtime layer gives Codex a structured, opt-in red-team workflow that stays out of your way until you explicitly enable it.

codex-redteam-mode
Collecting fresh signals — velocity needs a few days of history.
collecting data…
star history

What it does

Codex Red Team Opt-In Mode is a Python runtime layer that adds a toggleable red-team workflow to OpenAI’s Codex agent. Normal coding and research tasks stay untouched unless you explicitly enable red-team mode via a command like /redteam full or 进入红队模式. Once active, it routes security tasks through structured domain cards and an evidence-gated engine instead of dumping a monolithic attack prompt into context.

The interesting bit

Rather than the usual jailbreak approach of stuffing offensive instructions into the system prompt, the project uses SKILL.md scope-not-instruct cards that declare boundaries, pivot hints, and required exit evidence. A five-phase engine drives progression, and a four-level feedback gate—pass, soft_fail, pivot, or blocked—decides whether the agent advances, retries, changes course, or halts for human review.

Key highlights

  • Three explicit modes: normal (default), redteam-light (targeted analysis/planning), and redteam-full (constrained workflow).
  • 34 domain-specific SKILL.md cards covering Web, Active Directory, Cloud, Kubernetes, mobile, crypto, and more.
  • Regex-based router with fine-grained sub-routers per domain; routes tasks via phase → router → pack → leaf instead of treating the requested method as the primary axis.
  • Session patcher with a two-tier refusal detector and JSONL session cleaner.
  • Tool policy that prefers five practical classes—WebFetch, Browser MCP, IDA MCP, JADX MCP, and the current AI agent—then falls back to local equivalents.

Caveats

  • This is routing and governance infrastructure, not a ready-to-use attack platform: it manages context, adapters, and evidence gates, but ships no hardcoded exploits.
  • Actual tool execution depends on your local MCP and tool inventory; if a required adapter is missing, the runtime blocks or pivots rather than faking results.

Verdict

Worth a look if you already use Codex for security work and want a structured, gated red-team workflow without polluting everyday coding. Skip it if you’re hunting for a push-button exploit framework—this is closer to an opinionated project manager for your agent’s dark side.

Frequently asked

What is chAng-L19/codex-redteam-mode?
This runtime layer gives Codex a structured, opt-in red-team workflow that stays out of your way until you explicitly enable it.
Is codex-redteam-mode open source?
Yes — chAng-L19/codex-redteam-mode is open source, released under the MIT license.
What language is codex-redteam-mode written in?
chAng-L19/codex-redteam-mode is primarily written in Python.
How popular is codex-redteam-mode?
chAng-L19/codex-redteam-mode has 513 stars on GitHub.
Where can I find codex-redteam-mode?
chAng-L19/codex-redteam-mode is on GitHub at https://github.com/chAng-L19/codex-redteam-mode.

heatdrop uses Google Analytics to see which pages get read — nothing else. Your call. How we handle data.