codex - 💡(How to fix) Fix False-positive cybersecurity flag for authorized listing troubleshooting in Codex CLI [2 comments, 3 participants]

What version of Codex CLI is running?

codex-cli 0.128.0

What subscription do you have?

ChatGPT Pro paid plan used with Codex CLI.

Which model were you using?

gpt-5.5 xhigh

What platform is your computer?

Linux 6.6.114.1-microsoft-standard-WSL2 x86_64 unknown

What terminal emulator and version are you using (if applicable)?

Windows Terminal with WSL2, TERM=xterm-256color, WT_SESSION present

What issue are you seeing?

A Codex CLI session was flagged for possible cybersecurity risk during authorized website/listing troubleshooting in my own workspace.

The task was to fix a residential room rental listing across listing platforms. The flagged part appears to have happened after inspecting a public Roomeo React bundle to understand how normal listing fields and image uploads are saved.

The warning shown in the TUI was:

This chat was flagged for possible cybersecurity risk
If this seems wrong, try rephrasing your request. To get authorized for security work, join the Trusted Access for Cyber program:
https://chatgpt.com/cyber

After that, a persistent warning started appearing after every prompt, including in fresh Codex CLI sessions:

Your conversations have multiple flags for possible cybersecurity risk.
Responses may take longer because extra safety checks are on. To get authorized for security work, join the Trusted Access for Cyber program:
https://chatgpt.com/cyber

I used the Codex CLI feedback flow and it confirmed that the thread/logs were uploaded. I opened this issue from the CLI-generated GitHub issue URL.

What steps can reproduce the bug?

1. Use Codex CLI for authorized maintenance of my own residential room rental listing.
2. Inspect the logged-in listing workflow and a public frontend JavaScript bundle to understand how listing fields and image uploads are saved.
3. Search the public Roomeo bundle for normal application terms such as rooms, room_images, room-images, supabase, from(, update(, insert(, storage, description, deposit, bathroom, and rules.
4. The session gets flagged for possible cybersecurity risk.
5. Use the Codex CLI feedback flow to upload the relevant thread/logs.
6. Start a fresh Codex CLI session and send a normal unrelated prompt.
7. The persistent cybersecurity warning appears again after every prompt.

I do not have a minimal public repro because this happened in an authenticated personal workspace, but the logs were uploaded through the CLI feedback flow before opening this issue.

What is the expected behavior?

The original session should be treated as authorized website/listing troubleshooting, not malicious cybersecurity activity.

If a false-positive cyber classification happens, it should not leave the account or workspace in a persistent mitigation state across unrelated new sessions after the feedback flow is used for review.

The warning should only appear when the current conversation actually contains relevant cybersecurity risk.

Additional information

No malicious activity, credential theft, exploitation, phishing, malware, vulnerability scanning, privilege escalation, access-control bypass, or unauthorized third-party access was requested or performed.

The session may look security-sensitive in isolation because it included public frontend bundle inspection, Supabase-related search terms, and authenticated account automation for my own listing. In context, this was normal authorized maintenance of my own listing data and photos.

The main issue is the false-positive cyber flag. The persistent warning in fresh sessions is the follow-on problem.