The main security risks with GPT 5.3 Codex are data exposure, unsafe code generation, supply-chain mistakes, and tool misuse in agentic workflows. Because Codex is designed for long-running tasks with tool use, you must assume it will see sensitive context (source code, configs) and may attempt actions (running commands, changing dependencies) unless you constrain it. The risk isn’t “the model is malicious,” it’s that it can make confident mistakes at high speed, and the surrounding system may execute them. OpenAI’s Codex automation guidance emphasizes verifying failures and connecting fixes to real root causes, which is partly a reliability practice and partly a security practice: it discourages random changes that could introduce vulnerabilities or destabilize the system. See: Codex automations guidance and the CI automation example: Autofix GitHub Actions with Codex CLI.
A practical threat checklist for engineering teams:
1) Secret leakage
Prompts may include tokens, keys,
.envcontents, internal URLs.Mitigation: redact secrets before sending context; blocklist sensitive files; scan outputs for secrets before logging or committing.
2) Unsafe code patterns
Common issues: injection risks, unsafe deserialization, insecure defaults, missing auth checks.
Mitigation: run SAST, dependency scanning, and security linters; require changes to pass these checks; enforce code review for auth/crypto changes.
3) Dependency and supply-chain risk
The agent may “fix” by adding a new dependency or upgrading versions unexpectedly.
Mitigation: forbid new dependencies by policy; require explicit approval for upgrades; lockfile diff review required.
4) Tool execution risk
In agent mode, if it can run commands, it may run destructive or exfiltrating commands.
Mitigation: allowlist commands; sandbox execution; cap privileges; log all commands; require confirmation for risky operations.
5) Prompt injection via retrieved content
If you do RAG over docs/issues, malicious text could instruct the model to ignore rules.
Mitigation: treat retrieved text as untrusted; keep system rules higher priority; strip or annotate instructions in retrieved content.
This is not theoretical—agent workflows amplify these risks because they integrate retrieval and tool execution in loops.
Vector databases are part of the security story too. If you use RAG, make sure retrieval enforces authorization so the model can’t “accidentally” retrieve private documents for the wrong user. Milvus and Zilliz Cloud can store embeddings and metadata; you should use metadata-based access control (tenant IDs, doc visibility) to filter retrieval per user/session. That way, even if GPT 5.3 Codex is asked for sensitive info, the system physically cannot retrieve it. Combine access-controlled retrieval, strict output contracts, automated scanning, and human review on high-risk changes, and you can use GPT 5.3 Codex productively without turning it into a security liability.