codex-octopus
mcp
Warn
Health Warn
- License — License: ISC
- Description — Repository has a description
- Active repo — Last push 0 days ago
- Low visibility — Only 6 GitHub stars
Code Warn
- process.env — Environment variable access in src/lib.ts
Permissions Pass
- Permissions — No dangerous permissions requested
Purpose
This MCP server wraps the OpenAI Codex SDK, allowing you to spawn multiple specialized AI coding agents. Each agent can be configured independently with different models, permission levels, and personalities to handle tasks like code review or writing tests.
Security Assessment
Overall Risk: High. While the tool itself is a lightweight TypeScript wrapper and doesn't request dangerous permissions or contain hardcoded secrets, it is designed to orchestrate the underlying Codex CLI. This means it inherently executes shell commands and makes network requests to OpenAI's servers. Additionally, the default configuration in the README sets `CODEX_APPROVAL_POLICY` to "never," which allows the spawned agents to execute commands autonomously without requiring user approval. The only code-level flag is an environment variable access (`process.env`) used to read your OpenAI API key, which is expected behavior.
Quality Assessment
The project is actively maintained, with its last push occurring today, and properly operates under the permissive ISC license. However, it currently suffers from extremely low community visibility, having only 6 stars on GitHub. As a result, the codebase has not been broadly vetted by the open-source community.
Verdict
Use with caution: the lightweight wrapper is safe, but the low community vetting and default configuration of autonomous, unapproved command execution via the Codex CLI pose significant security risks.
This MCP server wraps the OpenAI Codex SDK, allowing you to spawn multiple specialized AI coding agents. Each agent can be configured independently with different models, permission levels, and personalities to handle tasks like code review or writing tests.
Security Assessment
Overall Risk: High. While the tool itself is a lightweight TypeScript wrapper and doesn't request dangerous permissions or contain hardcoded secrets, it is designed to orchestrate the underlying Codex CLI. This means it inherently executes shell commands and makes network requests to OpenAI's servers. Additionally, the default configuration in the README sets `CODEX_APPROVAL_POLICY` to "never," which allows the spawned agents to execute commands autonomously without requiring user approval. The only code-level flag is an environment variable access (`process.env`) used to read your OpenAI API key, which is expected behavior.
Quality Assessment
The project is actively maintained, with its last push occurring today, and properly operates under the permissive ISC license. However, it currently suffers from extremely low community visibility, having only 6 stars on GitHub. As a result, the codebase has not been broadly vetted by the open-source community.
Verdict
Use with caution: the lightweight wrapper is safe, but the low community vetting and default configuration of autonomous, unapproved command execution via the Codex CLI pose significant security risks.
One brain, many arms — spawn multiple specialized Codex agents as MCP servers
README.md
Codex Octopus
One brain, many arms.
An MCP server that wraps the OpenAI Codex SDK, letting you run multiple specialized Codex agents — each with its own model, sandbox, effort, and personality — from any MCP client.
Why
Codex is powerful. But one instance does everything the same way. Sometimes you want a strict code reviewer in read-only sandbox. A test writer with workspace-write access. A cheap quick helper on minimal effort. A deep thinker on xhigh.
Codex Octopus lets you spin up as many of these as you need. Same binary, different configurations. Each one shows up as a separate tool in your MCP client.
Prerequisites
- Node.js >= 18
- Codex CLI — the Codex SDK spawns the Codex CLI under the hood, so you need it installed (
@openai/codex) - OpenAI API key (
CODEX_API_KEYenv var) or inherited from parent process
Install
npm install codex-octopus
Or use npx directly in your .mcp.json (see Quick Start below).
Quick Start
Add to your .mcp.json:
{
"mcpServers": {
"codex": {
"command": "npx",
"args": ["codex-octopus@latest"],
"env": {
"CODEX_SANDBOX_MODE": "workspace-write",
"CODEX_APPROVAL_POLICY": "never"
}
}
}
}
This gives you two tools: codex and codex_reply. That's it — you have Codex as a tool.
Multiple Agents
The real power is running several instances with different configurations:
{
"mcpServers": {
"code-reviewer": {
"command": "npx",
"args": ["codex-octopus@latest"],
"env": {
"CODEX_TOOL_NAME": "code_reviewer",
"CODEX_SERVER_NAME": "code-reviewer",
"CODEX_DESCRIPTION": "Strict code reviewer. Read-only sandbox.",
"CODEX_MODEL": "o3",
"CODEX_SANDBOX_MODE": "read-only",
"CODEX_APPEND_INSTRUCTIONS": "You are a strict code reviewer. Report real bugs, not style preferences.",
"CODEX_EFFORT": "high"
}
},
"test-writer": {
"command": "npx",
"args": ["codex-octopus@latest"],
"env": {
"CODEX_TOOL_NAME": "test_writer",
"CODEX_SERVER_NAME": "test-writer",
"CODEX_DESCRIPTION": "Writes thorough tests with edge case coverage.",
"CODEX_MODEL": "gpt-5-codex",
"CODEX_SANDBOX_MODE": "workspace-write",
"CODEX_APPEND_INSTRUCTIONS": "Write tests first. Cover edge cases. TDD."
}
},
"quick-qa": {
"command": "npx",
"args": ["codex-octopus@latest"],
"env": {
"CODEX_TOOL_NAME": "quick_qa",
"CODEX_SERVER_NAME": "quick-qa",
"CODEX_DESCRIPTION": "Fast answers to quick coding questions.",
"CODEX_EFFORT": "minimal"
}
}
}
}
Your MCP client now sees three distinct tools — code_reviewer, test_writer, quick_qa — each purpose-built.
Agent Factory
Don't want to write configs by hand? Add a factory instance:
{
"mcpServers": {
"agent-factory": {
"command": "npx",
"args": ["codex-octopus@latest"],
"env": {
"CODEX_FACTORY_ONLY": "true",
"CODEX_SERVER_NAME": "agent-factory"
}
}
}
}
This exposes a single create_codex_mcp tool — an interactive wizard. Tell it what you want ("a strict code reviewer with read-only sandbox") and it generates the .mcp.json entry for you.
Tools
Each non-factory instance exposes:
| Tool | Purpose |
|---|---|
<name> |
Send a task to the agent, get a response + thread_id |
<name>_reply |
Continue a previous conversation by thread_id |
Per-invocation parameters (override server defaults):
| Parameter | Description |
|---|---|
prompt |
The task or question (required) |
cwd |
Working directory override |
model |
Model override |
additionalDirs |
Extra directories the agent can access |
effort |
Reasoning effort (minimal to xhigh) |
sandboxMode |
Sandbox override (can only tighten, never loosen) |
approvalPolicy |
Approval override (can only tighten, never loosen) |
networkAccess |
Enable network access from sandbox |
webSearchMode |
Web search: disabled, cached, live |
instructions |
Additional instructions (prepended to prompt) |
Configuration
All configuration is via environment variables in .mcp.json. Every env var is optional.
Identity
| Env Var | Description | Default |
|---|---|---|
CODEX_TOOL_NAME |
Tool name prefix (<name> and <name>_reply) |
codex |
CODEX_DESCRIPTION |
Tool description shown to the host AI | generic |
CODEX_SERVER_NAME |
MCP server name in protocol handshake | codex-octopus |
CODEX_FACTORY_ONLY |
Only expose the factory wizard tool | false |
Agent
| Env Var | Description | Default |
|---|---|---|
CODEX_MODEL |
Model (gpt-5-codex, o3, codex-1, etc.) |
SDK default |
CODEX_CWD |
Working directory | process.cwd() |
CODEX_SANDBOX_MODE |
read-only, workspace-write, danger-full-access |
read-only |
CODEX_APPROVAL_POLICY |
never, on-failure, on-request, untrusted |
on-failure |
CODEX_EFFORT |
minimal, low, medium, high, xhigh |
SDK default |
CODEX_ADDITIONAL_DIRS |
Extra directories (comma-separated) | none |
CODEX_NETWORK_ACCESS |
Allow network from sandbox | false |
CODEX_WEB_SEARCH |
disabled, cached, live |
disabled |
Instructions
| Env Var | Description |
|---|---|
CODEX_INSTRUCTIONS |
Replaces the default instructions |
CODEX_APPEND_INSTRUCTIONS |
Appended to the default (usually what you want) |
Advanced
| Env Var | Description |
|---|---|
CODEX_PERSIST_SESSION |
true/false — enable session resume (default: true) |
Authentication
| Env Var | Description | Default |
|---|---|---|
CODEX_API_KEY |
OpenAI API key for this agent | inherited from parent |
Security
- Sandbox defaults to
read-only— the agent can't write files unless you explicitly setworkspace-writeordanger-full-access. cwdoverrides preserve agent knowledge — when the host overridescwd, the agent's configured base directory is automatically added toadditionalDirectories.- Security overrides narrow, never widen — per-invocation
sandboxModeandapprovalPolicycan only tighten (e.g.,workspace-write→read-only), never loosen. _replytool respects persistence — not registered whenCODEX_PERSIST_SESSION=false.- API keys are redacted — the factory wizard never exposes
CODEX_API_KEYin generated configs.
Architecture
┌─────────────────────────────────┐
│ MCP Client │
│ (Claude Desktop, Cursor, etc.) │
│ │
│ Sees: code_reviewer, │
│ test_writer, quick_qa │
└──────────┬──────────────────────┘
│ JSON-RPC / stdio
┌──────────▼──────────────────────┐
│ Codex Octopus (per instance) │
│ │
│ Env: CODEX_MODEL=o3 │
│ CODEX_SANDBOX_MODE=... │
│ CODEX_APPEND_INSTRUCTIONS │
│ │
│ Calls: Codex SDK thread.run() │
└──────────┬──────────────────────┘
│ in-process
┌──────────▼──────────────────────┐
│ Codex SDK → Codex CLI │
│ Runs autonomously: reads files,│
│ writes code, runs commands │
│ Returns result + thread_id │
└─────────────────────────────────┘
Known Limitations
minimaleffort + web_search: OpenAI does not allowweb_searchtools withminimalreasoning effort. Uselowor higher if web search is needed.
Development
pnpm install
pnpm build # compile TypeScript
pnpm test # run tests (vitest)
pnpm test:coverage # coverage report
License
ISC - Xiaolai Li
Reviews (0)
Sign in to leave a review.
Leave a reviewNo results found