Safety Testing at Scale: What Vera's 1,600 Executable Cases Reveal About Agent Vulnerabilities — and How Codex CLI's Defence Layers Hold Up
Safety Testing at Scale: What Vera’s 1,600 Executable Cases Reveal About Agent Vulnerabilities — and How Codex CLI’s Defence Layers Hold Up
The Problem with Agent Safety Evaluation
Most agent safety benchmarks suffer from the same structural weakness: they evaluate what the agent says rather than what it does. An agent can claim refusal in its final message while having already executed the harmful action three tool calls earlier. Hard-coded rule matching compounds the problem — static evaluators cannot keep pace with the combinatorial explosion of risk categories, attack methods, and execution environments that production agents encounter.
Feng et al. address this directly with Vera, a framework for safety testing LLM agents at scale that replaces self-reported compliance with evidence-grounded verification1. Their benchmark, Vera-Bench, comprises 1,600 executable safety cases spanning 124 risk categories, 77 attack methods, and 30 environment categories1. Four production agent frameworks were evaluated: OpenClaw, Hermes, Codex CLI, and Claude Code.
The results are sobering. Under multi-channel attacks, the average attack success rate across all frameworks reaches 93.9%1.
How Vera Works
Vera operates in three stages, each addressing a specific gap in existing safety evaluation.
Stage 1: Taxonomic Risk Discovery
Rather than relying on a fixed risk catalogue, Vera constructs its taxonomy from literature-driven continuous exploration. The resulting risk structure contains 124 leaf-level risk categories organised into eight first-level groups1:
| Risk Group | Avg. Evidence Success Rate |
|---|---|
| Integrity | 95.3% |
| Cyber Attack | 88.4% |
| Privacy & Data | 83.7% |
| System Abuse | 82.7% |
| Privilege Escalation | 82.4% |
| Malware Generation | 81.6% |
| System Probing | 81.6% |
| Harmful Output | 79.0% |
Attack methods are separately taxonomised into 77 leaf-level categories across 11 families. Mechanistic attacks — profile inference (89.9%), task decomposition (88.5%), obfuscation (87.9%) — consistently outperform contextual approaches like social engineering (74.4%)1.
Stage 2: Combinatorial Composition
Vera combines risk categories, attack methods, and environments through compatibility filtering. From 39,078 candidate safety goals, the pipeline retains 1,600 executable base scenarios after quality filtering and deduplication1. Each scenario produces three controlled variants: benign, single-channel, and multi-channel.
Stage 3: Evidence-Grounded Verification
This is where Vera diverges most sharply from prior work. The verification hierarchy prioritises evidence sources by manipulation resistance1:
graph TD
A[Safety Case Execution] --> B{Evidence Source}
B --> C[Environment State<br/>Files, data, services<br/>Highest priority]
B --> D[Tool-Call Records<br/>Intent captured,<br/>effects not guaranteed]
B --> E[Agent Responses<br/>Consulted only when<br/>text IS the violation]
C --> F[Evidence-Grounded<br/>Verdict]
D --> F
E --> F
F --> G{Violation<br/>Confirmed?}
G -->|Yes| H[Attack Success]
G -->|No| I[Defence Held]
Each execution produces four artefacts: attack_plan, mcp_logs, trace.json, and verify.py1. The asymmetric judgement model prevents false positives where agents claim compliance after executing harmful actions — a pattern the authors observe repeatedly across all four frameworks.
Framework Comparison: Where Codex CLI Sits
The per-framework results reveal meaningful architectural differences1:
| Framework | Single-Channel ASR | Multi-Channel ASR | Overall ASR |
|---|---|---|---|
| Claude Code | 95.2% | 93.1% | 88.6% |
| Hermes | 93.4% | 97.8% | 86.6% |
| Codex CLI | 91.1% | 95.8% | 84.1% |
| OpenClaw | 82.8% | 89.1% | 70.3% |
Several patterns emerge. Codex CLI’s overall attack success rate of 84.1% is the second-lowest, beaten only by OpenClaw’s 70.3%1. However, Codex CLI shows a +4.7 percentage-point increase under multi-channel attacks compared to single-channel — the largest multi-channel vulnerability gap of any framework evaluated1.
Claude Code exhibits an unusual inverse pattern: its multi-channel ASR decreases by 2.1 points relative to single-channel, suggesting stronger filtering on tool-result channels1. This is worth noting for teams choosing between frameworks for security-sensitive deployments.
The Adaptive Steering Gap
Vera’s adaptive test driver — a control agent that steers multi-turn interactions based on runtime observation — demonstrates the value of persistent, reformulating attacks. The single-channel vs. benign gap averages +20.1 percentage points across frameworks1. Codex CLI’s gap is moderate; OpenClaw shows the largest improvement for attackers (+24.8 points), while Claude Code shows the smallest (+15.1 points)1.
This confirms what practitioners already suspect: static prompt-level defences are necessary but insufficient. Multi-turn reformulation, task decomposition, and gradual escalation routinely overcome them.
Mapping Vera’s Findings to Codex CLI’s Defence Stack
Codex CLI’s 84.1% overall ASR means its defences contain roughly 16% of Vera’s attack scenarios. Understanding which scenarios are contained — and which are not — requires mapping Vera’s attack taxonomy against Codex CLI’s layered architecture.
Layer 1: OS-Enforced Sandbox
The --sandbox workspace-write mode uses Landlock LSM and seccomp-BPF on Linux, Seatbelt on macOS, and restricted tokens on Windows to enforce filesystem and network boundaries at the kernel level23. This layer is opaque to the model — it cannot be bypassed through prompt manipulation.
Against Vera’s “Integrity” risk group (95.3% ASR), the sandbox provides the primary containment. File-system mutations outside the workspace are blocked regardless of what the agent intends. However, Vera’s evidence-grounded methodology reveals that many integrity violations occur within the permitted workspace — writing malicious scripts, modifying configuration files, or staging data for exfiltration through permitted network paths.
Layer 2: Approval Policy
The approval_policy configuration provides graduated enforcement4:
[security]
approval_policy = { granular = {
file_write = "always-approve",
shell_command = "always-ask",
network_request = "always-ask"
}}
In untrusted mode, every tool call requires explicit approval. In on-request mode (the --full-auto default), the agent operates autonomously within sandbox bounds. Vera’s multi-channel attacks exploit this gap: in autonomous mode, the agent processes compromised tool results without human checkpoint intervention1.
Layer 3: Deterministic Hooks
PreToolUse and PostToolUse hooks provide the most direct defence against Vera’s attack patterns5. A PreToolUse hook can reject tool calls matching known-dangerous patterns before execution:
[[hooks]]
event = "PreToolUse"
match_tool = "shell"
[hooks.script]
type = "bash"
content = '''
# Block commands targeting sensitive system paths
if echo "$CODEX_TOOL_INPUT" | grep -qE '/(etc|root|var/log)/'; then
echo '{"decision": "reject", "reason": "blocked: system path access"}'
exit 0
fi
echo '{"decision": "approve"}'
'''
A PostToolUse hook can inspect tool output for evidence of compromise — the same evidence-grounded approach Vera itself uses:
[[hooks]]
event = "PostToolUse"
match_tool = "shell"
[hooks.script]
type = "bash"
content = '''
# Flag outputs containing credential-like patterns
if echo "$CODEX_TOOL_OUTPUT" | grep -qEi '(password|secret|token|api_key)='; then
echo '{"decision": "block", "reason": "credential leak detected"}'
exit 0
fi
echo '{"decision": "proceed"}'
'''
Vera’s “Privacy & Data” risk group (83.7% ASR) is where hooks provide the strongest leverage. Deterministic pattern matching on tool inputs and outputs catches exfiltration attempts that the model’s own safety training misses under adversarial steering.
Layer 4: Auto-Review Subagent
When approvals_reviewer = "auto_review" is set, a separate subagent evaluates pending actions in an isolated context4. This architectural separation means the review subagent does not share the compromised conversational context of the primary agent — directly countering Vera’s multi-turn escalation strategy.
However, the auto-review subagent is itself an LLM and therefore vulnerable to the same mechanistic attack patterns that Vera identifies as most effective: task decomposition, obfuscation, and profile inference1.
Layer 5: Network Proxy and Domain Filtering
The network_proxy configuration with domain allowlisting provides a hard boundary against Vera’s “Cyber Attack” risk group (88.4% ASR)6:
[network_proxy]
allow_domains = ["api.github.com", "registry.npmjs.org"]
Combined with the sandbox’s network isolation, this prevents the agent from reaching attacker-controlled infrastructure even if prompt injection succeeds. Vera’s evidence-grounded verification would record the blocked network attempt in mcp_logs, confirming containment.
The Multi-Channel Problem
Vera’s most significant contribution is quantifying the multi-channel attack surface. In a multi-channel scenario, adversarial content arrives not through the user prompt but through tool results — a compromised API response, a poisoned file read, or a manipulated MCP server output1.
Codex CLI’s +4.7 point multi-channel vulnerability gap suggests that its defences are disproportionately weighted toward prompt-level filtering. The sandbox and hooks provide strong containment for actions, but the model’s reasoning over compromised inputs remains the weak link.
graph LR
subgraph "Single-Channel Attack"
U[User Prompt] -->|Adversarial| M[Model]
M -->|Filtered| T[Tool Execution]
end
subgraph "Multi-Channel Attack"
U2[User Prompt] -->|Benign| M2[Model]
M2 --> T2[Tool Execution]
T2 -->|Compromised Result| M2
M2 -->|Steered| T3[Harmful Action]
end
style T3 fill:#f96,stroke:#333
Practical mitigations for multi-channel exposure in Codex CLI:
- PostToolUse output sanitisation hooks — inspect and filter tool results before they re-enter the model context
enabled_tools/disabled_toolstwo-pass filtering — restrict which tools the agent can invoke, reducing the attack surface for tool-result injection5- MCP server allowlisting via
requirements.toml— enterprise-managed enforcement of which external servers the agent connects to6 model_reasoning_effort— higher reasoning effort has been correlated with improved adversarial robustness in adjacent benchmarks7
Building a Vera-Informed Defence Profile
Vera’s taxonomic structure maps directly to Codex CLI named profiles. A security-hardened profile informed by Vera’s highest-risk categories:
# ~/.codex/profiles/vera-hardened.toml
[security]
approval_policy = "untrusted"
approvals_reviewer = "auto_review"
[sandbox]
mode = "workspace-write"
[network_proxy]
allow_domains = ["api.github.com"]
[[hooks]]
event = "PreToolUse"
match_tool = "shell"
[hooks.script]
type = "bash"
content = '''
# Reject tool calls matching Vera high-risk patterns:
# integrity, cyber attack, privilege escalation
INPUT="$CODEX_TOOL_INPUT"
if echo "$INPUT" | grep -qEi '(curl.*-o|wget|chmod\s+[0-7]*7|sudo|su\s)'; then
echo '{"decision": "reject", "reason": "vera-hardened: blocked high-risk pattern"}'
exit 0
fi
echo '{"decision": "approve"}'
'''
[[hooks]]
event = "PostToolUse"
[hooks.script]
type = "bash"
content = '''
# Evidence-grounded output inspection (Vera methodology)
if echo "$CODEX_TOOL_OUTPUT" | grep -qEi '(BEGIN (RSA|OPENSSH)|password|secret_key)'; then
echo '{"decision": "block", "reason": "vera-hardened: sensitive data in output"}'
exit 0
fi
echo '{"decision": "proceed"}'
'''
Activate with codex --profile vera-hardened.
What Vera Means for Production Agent Deployments
Three takeaways from Vera’s evaluation that should inform how teams deploy Codex CLI:
Evidence over assertions. Vera’s verification hierarchy — environment state first, tool-call records second, agent responses last — is the correct ordering for production monitoring. If your observability stack only captures agent messages, you are missing the evidence that matters most.
Multi-channel is the real threat model. Single-channel prompt injection is well-studied and increasingly well-defended. Multi-channel attacks through compromised tool results represent the frontier — and Codex CLI’s +4.7 point vulnerability gap indicates this is where defensive investment should concentrate.
Deterministic beats probabilistic. Codex CLI’s hooks engine provides deterministic, model-independent filtering that operates regardless of adversarial context. Vera’s data shows that mechanistic attacks (obfuscation, task decomposition) consistently outperform contextual approaches — which means deterministic defences that pattern-match on tool inputs and outputs will catch what the model’s safety training misses under steering.
The Vera framework and Vera-Bench dataset are publicly available at github.com/Yunhao-Feng/Vera1.
Citations
-
Feng, Y., Lin, R., Wen, M., et al. “Safety Testing LLM Agents at Scale: From Risk Discovery to Evidence-Grounded Verification.” arXiv:2607.01793, July 2026. https://arxiv.org/abs/2607.01793 ↩ ↩2 ↩3 ↩4 ↩5 ↩6 ↩7 ↩8 ↩9 ↩10 ↩11 ↩12 ↩13 ↩14 ↩15 ↩16 ↩17 ↩18
-
OpenAI. “Sandbox — Codex Concepts.” OpenAI Developers, 2026. https://developers.openai.com/codex/concepts/sandboxing ↩
-
OpenAI. “Agent Approvals & Security — Codex.” OpenAI Developers, 2026. https://developers.openai.com/codex/agent-approvals-security ↩
-
OpenAI. “Advanced Configuration — Codex.” OpenAI Developers, 2026. https://developers.openai.com/codex/config-advanced ↩ ↩2
-
OpenAI. “Configuration Reference — Codex.” OpenAI Developers, 2026. https://developers.openai.com/codex/config-reference ↩ ↩2
-
OpenAI. “Changelog — Codex.” OpenAI Developers, 2026. https://developers.openai.com/codex/changelog ↩ ↩2
-
OpenAI. “Command Line Options — Codex CLI Reference.” OpenAI Developers, 2026. https://developers.openai.com/codex/cli/reference ↩