Episode 48: Codex Remote Control, Agent RCE Hardening

EP048 — Codex Remote Control, Agent RCE Hardening, Copilot Session Hooks, and Microsoft Agent Framework 1.5

OpenClaw Release Candidate Verification

GitHub stable-release list, latest first: v2026.5.7, v2026.5.6, v2026.5.5, v2026.5.4, v2026.5.3-1, v2026.5.3.
Tag set from the last five episode files includes v2026.5.7, v2026.5.6, v2026.5.5, v2026.5.4, v2026.5.3-1, v2026.5.3, and earlier stable tags.
Stable-release walk: start at latest stable v2026.5.7; because that tag is present in the tag set, the contiguous-uncovered candidate list is empty.
Result: zero valid OpenClaw candidates; no OpenClaw release story is included.

Episode Title

Codex Remote Control, Agent RCE Hardening, Copilot Session Hooks, and Microsoft Agent Framework 1.5

Tagline

Codex 0.130.0 adds headless remote-control and cleaner app-server state, Microsoft shows how prompt injection can cross into Semantic Kernel code execution, GitHub Copilot SDK exposes plan and rate-limit handlers, and Microsoft Agent Framework 1.5 ships orchestration, observability, and browser-tool controls.

Feed Description

OpenClaw Daily EP048 opens with OpenAI Codex 0.130.0 and its remote-control app-server entrypoint, paged thread views, plugin hook metadata, config refresh, turn-diff accuracy, multi-environment image resolution, and telemetry changes. The episode then explains Microsoft’s Semantic Kernel RCE case study, GitHub Copilot SDK session hooks and diagnostics, and Microsoft Agent Framework 1.5 changes around Magentic orchestration, WebBrowsingTool allowlists, reasoning events, todo-state injection, and wire-format fixes.

Story Slate

1. OpenAI Codex 0.130.0 Adds Remote-Control App Servers, Paged Thread Views, Plugin Hook Visibility, and Better State Repair

Codex 0.130.0 is the strongest builder story because it changes the operational shape of coding-agent sessions: codex remote-control starts a headless remotely controllable app-server, clients can page large threads as unloaded, summary, or full turn item views, plugin details expose bundled hooks, and live app-server threads refresh from config changes without a restart. It also tightens turn diff tracking across partial apply_patch failures, remote compaction stream events, ThreadStore resume and fork paths, multi-environment view_image, Bedrock auth, and OpenTelemetry trace metadata. Technical depth angle: explain headless app-server control planes, thread pagination semantics, summary versus full turn materialization, plugin hook discoverability, config snapshot refresh, operation-backed diff tracking after partial file mutations, multi-environment file resolution, remote compaction event contracts, and telemetry fields for review and debugging.

2. Microsoft’s Semantic Kernel RCE Research Turns Prompt Injection into a Tool-Execution Boundary Lesson

Microsoft published a detailed security case study showing how prompt injection against Semantic Kernel could cross into remote code execution when an agent exposed a search plugin backed by the default In-Memory Vector Store filter path. The mechanics are concrete: model-controlled tool arguments were interpolated into a Python lambda, executed through eval(), checked with a fragile AST blocklist, and bypassed through Python object traversal rather than direct built-in calls. Technical depth angle: explain AI tool-call parameter trust, injection sinks in plugin schemas, vector-store filter construction, eval() and AST validation failure modes, blocklist bypasses, least-privilege plugin design, typed filter DSLs, runtime sandboxing, patch verification, and detection steps for agent hosts that execute framework-supplied code.

3. GitHub Copilot SDK Adds Plan-Approval and Rate-Limit Mode Hooks plus Cross-SDK Diagnostics

The May 8 Copilot SDK pre-release gives application builders direct callbacks for exitPlanMode.request and autoModeSwitch.request, structured diagnostics for .NET, Python, and Rust SDKs, and an explicit enableSessionTelemetry session option. That turns Copilot-powered sessions from opaque CLI behavior into a programmable runtime where products can approve plan transitions, decide whether to switch models after rate limits, and trace startup, TCP connection, JSON-RPC request timing, session lifecycle, and error paths. Technical depth angle: explain runtime event callbacks, plan-mode approval contracts, automatic model-switch recovery after rate limits, JSON-RPC timing diagnostics, session telemetry opt-in/out, enum forward-compatibility, binary tool-result MIME defaults, and how these controls affect embedded coding-agent products.

4. Microsoft Agent Framework 1.5 Moves Orchestration, Observability, Browser-Tool Policy, and Wire Semantics Forward

Microsoft Agent Framework’s May 8 release adds .NET Magentic Orchestration, hosted-agent observability samples, WebBrowsingTool allowlisting, reasoning events in AGUI, class-based skills and harness context providers in the Python line, todo-state injection, per-call Foundry headers, and a fix that serializes function_call_output.output as a JSON string on the wire. It also repairs workflow re-entry loops, YAML block scalar parsing for file skills, multiparty conversation serialization, and non-thread-safe sequence number generation. Technical depth angle: explain multi-agent orchestration scheduling, browser-tool allowlists, hosted-agent observability, reasoning event transport, declarative skill metadata, todo-list context injection, JSON wire compatibility for tool outputs, sequence-number ordering, workflow re-entry failure modes, and what these controls mean for production agent framework deployment.

Extra Research Candidates

LangChain Core 0.3.86 Backports Path-Traversal Hardening for Loads and Dumps — Primary source: https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.86. Technical depth angle: explain serializer/deserializer path traversal risk, why agent frameworks often load structured graph/tool state from disk or hubs, how security backports differ from feature releases, and why loads/dumps hardening and hub deprecation matter for supply-chain boundaries.
MCP Python SDK 1.27.1 Stabilizes Pydantic 2.13 Schema Generation and OAuth Metadata Handling — Primary source: https://github.com/modelcontextprotocol/python-sdk/releases/tag/v1.27.1. Technical depth angle: explain output-schema generation failures, optional URL coercion in OAuth client metadata, httpx dependency bounds, SSE public API imports, and why MCP transport/auth libraries need conservative compatibility pins.
OpenAI API and SDK Updates Add Realtime 2, Web Search Results Inclusion, and Image 2 Type Repairs — Primary source: https://github.com/openai/openai-node/releases/tag/v6.37.0. Technical depth angle: explain realtime model/API surface migrations, response include semantics for web_search_call.results, image-generation enum regressions, admin usage response quantity fields, SDK typegen release cadence, and why pinned client versions matter for production API callers.

Show Notes

[00:00] Codex 0.130.0 gives coding-agent operators a cleaner control plane. The headline feature is `codex remote-control`, a simpler entrypoint for starting a headless app-server that can be controlled remotely. That matters because coding agents are no longer only terminal tools. They are app-server sessions with threads, configuration snapshots, plugin surfaces, review events, file views, and remote clients that may need to inspect or continue work without sitting inside the original terminal. This release also adds paged thread views, plugin hook metadata, better live config refresh, more accurate turn diffs after partial patch failures, multi-environment image resolution, and richer telemetry for debugging review paths.

[02:00] STORY 1 — OpenAI Codex 0.130.0 Adds Remote-Control App Servers, Paged Thread Views, Plugin Hook Visibility, and Better State Repair
Start with the remote-control entrypoint. A headless app-server is a different operational object from a one-shot CLI run. The server owns sessions, threads, configuration, environment selection, tool execution, and client connections. Adding a top-level `codex remote-control` command lowers the friction for starting that control plane directly. For builders embedding coding agents into dashboards, IDEs, browser clients, or remote development machines, that is the surface that turns a local assistant into a service endpoint.

The important mechanism is separation of control and work. The app-server can keep a coding session alive while a client reconnects, pages through a large thread, opens a summary view, or requests a full item view only when needed. Codex 0.130.0 adds large-thread paging where clients can request unloaded, summary, or full turn item views. That is not just UI polish. Agent threads can become huge because they include user turns, model turns, tool calls, diffs, file references, approvals, images, and compacted summaries. Loading everything into every client wastes memory, increases latency, and makes remote clients brittle.

A paged thread API gives the app-server room to treat thread materialization as a contract. An unloaded item can preserve ordering and identity without transferring payload. A summary item can give enough context for navigation. A full turn item can be fetched when the user opens the detail. That pattern is familiar from logs, traces, and issue timelines, and coding agents now need it because their transcripts are operational records, not just chat text.

Plugin details now show bundled hooks, and plugin sharing exposes link metadata plus discoverability controls. Hooks are part of the actual runtime behavior of a plugin. If a plugin can modify startup, observe a tool call, provide a command, or participate in review, operators need to see that before they install or share it. Hiding hooks inside a package turns plugin review into guesswork. Showing them in plugin details makes the execution surface auditable.

The release also repairs live app-server configuration behavior. Live app-server threads now pick up config changes without requiring a restart. In an agent runtime, configuration can include model choices, approval policies, provider settings, tool availability, plugin state, environment selection, and telemetry options. If a long-running thread keeps using stale config, operators may believe they changed policy while an active agent continues with old settings. Refreshing live threads from the latest config snapshot makes policy changes take effect where work is happening.

Turn diffs get a particularly practical fix. Codex now keeps diffs accurate across `apply_patch` operations, including partial failures that still mutated files. This failure mode matters. A patch can fail in the middle but still change part of a file. If the runtime reports the wrong diff afterward, the user cannot trust the review view, rollback logic, or audit trail. Operation-backed diff tracking is the right direction: record what the operation actually changed, not what the ideal patch was supposed to change.

ThreadStore fixes improve summaries, renames, resume, and fork paths, including threads without local rollout paths. That means the thread storage layer is becoming the source of truth for more lifecycle operations. Resume and fork are especially important for coding agents because a user may want to branch an investigation, continue a failed run, or open a thread from a remote client that lacks the original local rollout path. If thread identity depends too much on local filesystem state, remote and headless workflows break.

Remote compaction also gets stream-contract fixes. Codex now emits `response.processed` for v2 streams and avoids sending `service_tier` on API-key compact requests. Compaction is how long sessions stay usable, but remote compaction has to speak the same event language as the rest of the app-server. A missing processed event can leave clients waiting for a terminal state. Sending unsupported fields on a compact request can break only the compaction path while normal turns still work, which is hard to diagnose.

Multi-environment support shows up in `view_image`, which can now resolve files through the selected environment. Coding agents often operate across a host, container, sandbox, remote workspace, or mounted project. An image path is not meaningful unless the runtime knows which environment owns it. Resolving through the selected environment prevents a client from accidentally looking at the wrong filesystem or failing to display an artifact that exists inside the active sandbox.

Bedrock authentication support now accepts AWS console-login credentials from `aws login` profiles. That is an operator convenience with real deployment impact. Many teams already manage AWS access through profile-based flows. Letting Codex use those profiles reduces duplicate credential paths and makes model-provider auth line up with existing cloud access controls.

The telemetry changes are useful for production debugging. Codex adds configurable OpenTelemetry trace metadata and richer review and feedback analytics. Review events are a core part of coding-agent safety. If a command was approved, denied, retried, or escalated, operators need enough trace context to understand why. Good telemetry should connect a session, turn, tool call, approval decision, model request, and user-visible result without leaking secrets.

The practical recommendation is to treat Codex app-server deployments like service deployments. Pin the version, start remote-control deliberately, document which clients can connect, audit plugin hooks before sharing, keep configuration refresh behavior in mind, and test patch failure cases. The release is not only about new commands; it is about making a coding agent controllable, inspectable, and recoverable when sessions grow large and run remotely.

[16:00] STORY 2 — Microsoft’s Semantic Kernel RCE Research Turns Prompt Injection into a Tool-Execution Boundary Lesson
Microsoft’s security post is a direct reminder that prompt injection becomes more dangerous when language is wired to tools. The model is not the vulnerable component in the case study. The model receives text, decides to call a tool, and fills tool arguments. The vulnerable boundary is the framework and plugin code that trusts those arguments and turns them into executable host behavior.

The first disclosed issue centers on Semantic Kernel’s In-Memory Vector Store search path. The example agent exposes a hotel search function. A user asks for hotels in a city. The model calls the search plugin with a `city` argument. The plugin builds a deterministic filter to narrow the dataset before vector similarity. The risky step is that a model-controlled argument is interpolated into a Python lambda expression and then executed with `eval()`.

That is the execution boundary. A normal city value becomes a filter expression. A malicious value can close a quote and append Python logic. The prompt injection does not need a browser exploit, a malicious attachment, or memory corruption. It needs the agent framework to take a language-derived parameter and place it into an executable expression. Once that happens, prompt injection has become code injection.

The attempted mitigation used AST validation and a restricted builtins environment. At a high level, the validator allowed lambda expressions, scanned names and attributes for dangerous identifiers, and executed with `__builtins__` removed. That sounds reasonable, but dynamic languages make blocklists fragile. Microsoft’s researchers bypassed the filter without using the obvious blocked names directly. The payload traversed Python object structures to locate import machinery and reach system command execution through alternate attributes.

The lesson is not simply “do not use eval.” The broader lesson is that tool-call arguments are untrusted input even when they came from a model, even when the user did not type code directly, and even when the schema says the field is a city name. A model can be induced to place attacker-controlled strings into any argument it is allowed to fill. If the tool then interprets that string as code, a query language, a shell command, a file path, or a template, the framework has created an injection sink.

Vector search makes this easy to underestimate because it feels like retrieval infrastructure rather than code execution. But vector stores often support metadata filters, expression languages, custom predicates, embedding prefilters, rerankers, and connector-specific query strings. Every one of those can become an injection boundary if user or model-controlled values are concatenated into an interpreted expression. Safe design usually means parameterized filters, typed DSLs, allowlisted operators, and validation that rejects unexpected structure before execution.

A robust fix should remove string-code construction from the default path. Instead of generating a lambda string, a framework can build a predicate from typed fields and operators. For example, `field equals value` should be data, not source code. If a filter language is unavoidable, the runtime should parse into a constrained AST and evaluate with an interpreter that only understands the allowed operations. It should not call the host language evaluator and try to block dangerous behavior afterward.

Least privilege also matters. Search plugins should not run with the same filesystem, process, and network privileges as the host application if they do not need them. A hotel-search predicate does not need shell access. If a framework bug turns a filter into code execution, the sandbox and process privileges determine the blast radius. Agent frameworks should isolate plugin execution, limit environment variables, avoid passing credentials into generic tool processes, and log tool parameters carefully enough for incident response.

Detection is practical. Teams using agent frameworks should inventory tools that execute templates, filters, shell commands, notebook cells, Python snippets, JavaScript snippets, SQL, or file operations. They should look for model-controlled values passed into those interpreters. They should patch Semantic Kernel and related packages, but also review custom plugins because the same pattern appears in application code. Prompt-injection security is not only a model-evaluation problem; it is input validation and execution isolation for tool runtimes.

The operator takeaway is blunt: every agent tool is an API endpoint whose caller is partly controlled by the model. Treat tool schemas as external API contracts. Validate inputs at the tool boundary. Prefer typed data structures over interpreted strings. Keep plugin permissions narrow. Log enough to reconstruct which prompt caused which tool arguments. And test prompt injection by trying to force the agent to pass hostile parameters into tools, not only by checking whether the model says unsafe words.

[28:00] STORY 3 — GitHub Copilot SDK Adds Plan-Approval and Rate-Limit Mode Hooks plus Cross-SDK Diagnostics
The Copilot SDK May 8 pre-release is about embedding agent sessions into products with more explicit runtime control. Applications can now register callbacks for `exitPlanMode.request` and `autoModeSwitch.request`. Those events matter because plan mode and automatic model switching are product decisions, not just model decisions.

Plan mode is a boundary between proposing work and doing work. In an embedded coding agent, the application may want a human to approve the plan, a policy engine to check it, or a project-specific rule to block certain changes. The new handlers let applications decide whether an exit-plan-mode request is approved. That gives the host product a clear interception point before the runtime moves from planning into execution.

Automatic model switching after rate limits is a different kind of boundary. A runtime may want to recover from rate-limit events by moving to another model or mode. That can preserve continuity, but it can also change behavior, cost, latency, or capability. The `autoModeSwitch.request` handler lets the application decide whether to accept that switch. For enterprise products, that is important because model choice can be tied to data policy, compliance, evaluation baselines, or budget controls.

The release also adds structured diagnostics across .NET, Python, and Rust. The logs cover CLI startup, TCP connection, JSON-RPC request timing, session lifecycle, and error paths. This is exactly the visibility an embedded agent SDK needs. When a session fails, the cause may be process startup, transport, auth, JSON-RPC framing, runtime event handling, model response, tool execution, or host callback behavior. Without structured timing and lifecycle logs, every failure looks like “the agent hung.”

The JSON-RPC detail is worth highlighting. Many coding-agent SDKs wrap a local runtime process and communicate over JSON-RPC. That means there is a client object in the application, a runtime process, a transport connection, request IDs, event streams, and long-running operations. Diagnostics need to show when the runtime started, when the TCP connection opened, which JSON-RPC requests were sent, how long they took, and where errors surfaced. Otherwise application developers cannot distinguish SDK misuse from runtime failure.

The `enableSessionTelemetry` option makes telemetry an explicit session choice. That is the right shape for privacy and operations. Some deployments want internal session telemetry to debug issues and improve product quality. Others need it disabled by policy. Putting the knob on session configuration and resume configuration makes the decision auditable and repeatable instead of relying on hidden defaults.

There are smaller compatibility fixes that matter for long-lived SDK users. C# session-event enums are now string-backed readonly structs so deserialization does not fail when the runtime adds new enum values. That is forward compatibility for event streams. Rust binary tool result resource blobs now default to `application/octet-stream` when `mimeType` is absent. That is a wire-format resilience fix. Both changes reduce breakage when runtimes and SDKs evolve at different speeds.

The practical builder implication is that Copilot SDK sessions are becoming host-controlled runtime objects. If you embed them, implement the plan-mode and mode-switch callbacks deliberately. Decide which switches can happen automatically and which need review. Turn on diagnostics in development and staging. Capture JSON-RPC timing around slow or flaky sessions. Treat telemetry as a policy decision. And test older clients against newer runtime events so enum and event forward compatibility does not surprise you.

[38:00] STORY 4 — Microsoft Agent Framework 1.5 Moves Orchestration, Observability, Browser-Tool Policy, and Wire Semantics Forward
Microsoft Agent Framework’s May 8 release is broad, but several changes are directly relevant to production agent builders. The .NET line adds Magentic Orchestration, WebBrowsingTool allowlisting, hosted-agent observability samples, reasoning events in AGUI, todo multithreading improvements, and Foundry per-call client headers. The Python line nearby adds class-based skills and experimental harness context providers. The release also fixes tool-output wire format, workflow loops, YAML parsing, multiparty serialization, and sequence numbering.

Magentic Orchestration is the headline because multi-agent systems need more than a list of agents. They need scheduling, delegation, turn ownership, shared state, termination conditions, and a way to decide which agent should act next. An orchestration layer formalizes those mechanics. Marking it experimental is appropriate because orchestration semantics become application architecture: a bad scheduler can loop, duplicate work, hide failures, or let one agent dominate the conversation.

WebBrowsingTool allowlisting is an important browser/computer-use control. Browsing tools connect an agent to external content that can be malicious, untrusted, or simply distracting. An allowlist gives the host application a policy surface for which browsing destinations or browser behaviors are permitted. In agent systems, browsing is not just reading. The browser can fetch prompt-injection content, submit forms, follow redirects, expose cookies, and retrieve files. Policy needs to exist before the tool runs.

Hosted-agent observability samples are also valuable because deployment is where framework abstractions meet production reality. A hosted agent needs logs, traces, request correlation, model-call visibility, tool-call timing, and failure state. Observability samples can become the reference pattern for teams that would otherwise ship agents with only console logs. The useful question for any hosted agent is: can we reconstruct a failed run from the external request through the orchestration decision, model call, tool call, and final response?

Reasoning events in AGUI expose another transport issue. User interfaces need to render agent progress without mixing private chain-of-thought, tool rationale, and user-visible reasoning summaries incorrectly. A reasoning event channel lets the framework represent progress or reasoning-related state as structured events. The application still has to decide what is safe to show, store, and transmit, but structured events are better than scraping text from a stream.

Todo multithreading and todo injection into the message list show how state management becomes a runtime feature. Agents use todo lists to plan, track progress, and recover after interruptions. If todo state is not thread-safe, concurrent updates can corrupt the plan. If todo state is not visible in the message context, the model may lose track of commitments. Injecting todos into the message list makes task state part of the model context, while multithreading improvements reduce race conditions around updates.

The `function_call_output.output` wire-format fix is small but critical. The release fixes it to be a JSON string on the wire. Tool output formats are contracts between runtime, SDKs, models, and clients. If one side expects a string and another side sends structured JSON directly, deserialization or replay can fail. Agent frameworks must be strict about these wire contracts because tool outputs are often stored, streamed, compacted, and resumed later.

Sequence number generation gets a fix for duplicate or out-of-order IDs. Event ordering is foundational for agent UIs and logs. If two events share a sequence number or arrive with inconsistent ordering, clients can render stale state, drop updates, or mis-associate tool results. In a multi-agent or multiparty conversation, ordering bugs are especially painful because the user cannot tell which agent said or did what first.

Workflow re-entry and YAML parsing fixes speak to declarative-agent reliability. A QuestionExecutor loop after GotoAction re-entry is the kind of bug that turns declarative workflow convenience into runaway behavior. YAML block scalar parsing for file skills matters because file-based skill definitions often contain prompts, instructions, examples, or scripts. If block scalars parse incorrectly, the skill the agent sees is not the skill the developer wrote.

The practical recommendation is to evaluate this release through production surfaces. If you use Microsoft Agent Framework, inspect how orchestration chooses the next actor, define browser-tool allowlists before connecting external sites, wire observability before rollout, treat reasoning events as a governed UI channel, test todo state under concurrency, and validate wire compatibility for tool outputs. Framework releases are not only new abstractions; they are changes to the runtime contracts your application depends on.

[50:00] Closing
The practical takeaway from EP048 is operational. Codex 0.130.0 makes coding-agent sessions more service-like with remote-control app servers, paged thread views, plugin hook visibility, config refresh, and better recovery around patches and compaction. Microsoft’s Semantic Kernel research shows how model-controlled tool arguments can become code execution if frameworks turn them into interpreted host-language expressions. GitHub Copilot SDK gives embedded products approval and recovery hooks plus diagnostics. Microsoft Agent Framework 1.5 pushes orchestration, browser policy, observability, event transport, todo state, and wire-format correctness forward. For builders, the work is to make every agent runtime boundary explicit: control plane, tool input, approval event, browser policy, telemetry, and stored thread state.

Verified Links

OpenAI Codex — Release rust-v0.130.0: https://github.com/openai/codex/releases/tag/rust-v0.130.0
Microsoft Security — When prompts become shells: RCE vulnerabilities in AI agent frameworks: https://www.microsoft.com/en-us/security/blog/2026/05/07/prompts-become-shells-rce-vulnerabilities-ai-agent-frameworks/
GitHub Copilot SDK — Releases: https://github.com/github/copilot-sdk/releases
Microsoft Agent Framework — Releases: https://github.com/microsoft/agent-framework/releases
LangChain Core — Release 0.3.86: https://github.com/langchain-ai/langchain/releases/tag/langchain-core%3D%3D0.3.86
MCP Python SDK — Release v1.27.1: https://github.com/modelcontextprotocol/python-sdk/releases/tag/v1.27.1
OpenAI Node SDK — Release v6.37.0: https://github.com/openai/openai-node/releases/tag/v6.37.0

Chapters

[00:00] Hook — Codex Remote-Control and App-Server State
[02:00] OpenAI Codex 0.130.0 Adds Remote-Control App Servers, Paged Thread Views, Plugin Hook Visibility, and Better State Repair
[16:00] Microsoft’s Semantic Kernel RCE Research Turns Prompt Injection into a Tool-Execution Boundary Lesson
[28:00] GitHub Copilot SDK Adds Plan-Approval and Rate-Limit Mode Hooks plus Cross-SDK Diagnostics
[38:00] Microsoft Agent Framework 1.5 Moves Orchestration, Observability, Browser-Tool Policy, and Wire Semantics Forward
[50:00] Closing