Security audit tool for ChatGPT Desktop and Codex on macOS — including connectors, permissions, plugins, data controls, feature flags, telemetry, and enterprise configuration.
One command. Full visibility. Read-only.
ChatGPT has expanded from a single chat box into a sprawling product family — core chat, custom GPTs, connected apps (connectors), Codex for autonomous coding, Agent mode for browser automation, and Atlas as a full AI-native browser. Each surface carries distinct risk, and the security controls available differ meaningfully across them.
Most of this configuration lives in plist files, TOML configs, Statsig analytics caches, and WebKit storage scattered across multiple directories with no centralised visibility. Your security team can't govern what they can't see.
OPENAUDIT gives you that visibility in a single command.
📝 What's covered: OPENAUDIT audits both ChatGPT Desktop (
com.openai.chat) and Codex (com.openai.codex) — the desktop app and CLI. It inspects local configuration, cached workspace settings, permissions, connectors, plugins, data controls, feature flags, telemetry, and runtime state. It also provides a checklist of admin console settings that can only be verified server-side.
| Area | What's Checked |
|---|---|
| 🖥️ ChatGPT Desktop | App version, Sparkle auto-update, conversation metadata (count/size, not content), custom GPTs (gizmos), WebKit/cookie/cache inventory |
| ⚙️ Codex Configuration | sandbox_mode, approval_policy, shell_environment_policy, analytics, history persistence, network access, AGENTS.md custom instructions |
| 🔐 Codex Auth | auth.json permissions (WARN if not 0600), credential store type (file vs keychain), Keychain entries |
| 🏢 Codex Enterprise | requirements.toml (with MCP allowlist, allowed sandbox/approval/web-search modes), managed_config.toml, MDM profiles, cloud-managed requirements |
| 📊 Data Controls | Training opt-out status, workspace type (personal vs Team/Enterprise), admin-controlled toggle detection, data residency |
| 🔑 Account Permissions | 54+ workspace permissions with 13 dangerous patterns flagged (MCP, agent-mode, code-execution, memory, device-code-auth, admin, etc.) |
| 🔗 Connectors | Available connectors (Slack, GitHub, Google Drive, Outlook, MCP, etc.) from Statsig analytics cache |
| 🛠️ System Tools | Tool inventory with type, dangerous status, and required feature flags |
| 🚩 Feature Flags | Persistent memory, voice mode, search, app pairing, screen sharing, and 13+ flags from Statsig |
| 🕵️ PII Exposure | User IDs, Statsig SDK keys, email addresses found in plaintext local storage (redacted in output) |
| 📡 Telemetry & Analytics | Sentry crash reporting (both apps), Statsig analytics (gate count), SDK key exposure, Sparkle auto-update |
| 🧩 Codex Plugins | Installed plugins with version, source marketplace, skill count, plus deep scan of skills and connectors per plugin |
| 🪝 Codex Hooks | Hook events (PreToolUse, PostToolUse, SessionStart, etc.) and shell commands |
| 🎯 Codex Skills | Skill names and descriptions from SKILL.md frontmatter |
| 📏 Codex Rules | Starlark .rules files with prefix_rule() patterns and decisions (allow/prompt/forbidden) |
| 🏃 Runtime State | Running processes, sleep assertions, LaunchAgents, crontab entries, log/SQLite sizes, OPENAI_API_KEY in environment |
| 🍪 Cookies | Cookie stores for both ChatGPT and Codex |
| ✅ Admin Console Checklist | 19-item checklist of server-side settings that cannot be audited from the endpoint |
| Requirement | How to check | How to install |
|---|---|---|
| 🍎 macOS | You're on a Mac | — |
| 🐚 zsh | zsh --version |
Ships with macOS since Catalina |
| 🔧 jq | jq --version |
brew install jq |
git clone https://github.com/HarmonicSecurity/openai-audit.git
cd openai-audit
chmod +x openai_audit.sh
./openai_audit.shThat's it. The script reads your ChatGPT and Codex configuration and prints a colour-coded report to the terminal. It never modifies anything.
./openai_audit.sh [OPTIONS]
Options:
--html [FILE] Generate a standalone HTML report
--json Output structured JSON
--user USER Audit a specific user
--all-users Audit all users with ChatGPT/Codex data (requires root)
-q, --quiet Only show WARN and REVIEW findings
--version Print version and exit
-h, --help Show usage
# Default: colour output in terminal
./openai_audit.sh
# Only warnings and critical findings
./openai_audit.sh -q
# Standalone HTML report
./openai_audit.sh --html
# JSON for SIEM ingestion
./openai_audit.sh --json > audit.json
# Specific user
./openai_audit.sh --user jsmith
# All users (run as root via MDM, FleetDM, Jamf, etc.)
sudo ./openai_audit.sh💡 When run as root (uid 0), the script automatically discovers and scans all users with ChatGPT or Codex data. No flags needed.
Colour-coded output with Unicode tables and severity indicators.
Standalone dark-themed report with collapsible sections. Created with restrictive file permissions (0600).
Structured output for SIEM ingestion. Sensitive fields (API keys, tokens, secrets, PII) are automatically redacted. Multi-user scans produce a JSON array. Includes an admin_checklist array of server-side settings to verify manually.
| Severity | Meaning |
|---|---|
| 🟠 WARN | Increases risk surface — e.g. dangerous permissions, training enabled, plaintext SDK keys |
| 🟡 REVIEW | Needs human judgement — e.g. installed plugins, cached connectors |
| 🔵 INFO | Informational — e.g. app versions, config values, permission counts |
Some security-critical settings can only be verified through the ChatGPT admin console or API Platform — they have no local file representation. OPENAUDIT includes a checklist of these settings in every report:
ChatGPT Workspace (chatgpt.com/admin) — Chat retention policy, memory workspace toggle, Agent mode / Web search / Deep research toggles, Code on macOS, Apple Intelligence linking, GPT publishing, third-party GPTs, per-app RBAC and action risk labels, action confirmation, domain verification, SCIM sync, IP allowlisting.
Codex Admin — Device code authentication (phishing risk), Codex Cloud connectors (GitHub/Slack/Linear).
API Platform (platform.openai.com) — Audit logging (disabled by default, cannot be re-disabled), hosted tools (MCP, web search, file search), data sharing toggles, API IP allowlist.
- Read-only — never writes to, modifies, or deletes any audited file
- No network access — all data collected from local filesystem and system commands
- Sensitive data redacted — tokens, keys, PII, and secrets replaced with
[REDACTED]in all output formats - Minimal privileges — runs as current user; root only needed for multi-user scans
- Single file — no dependencies beyond
jq - Auditable — the entire tool is one readable shell script
This project is built and maintained using Claude Code. We love it. Seriously. If you're building developer tools and haven't tried it yet, you're missing out.
Apache License 2.0 — see LICENSE for details.