Yup, you can ask Codex to do things like expose tokens stored in your browser and to post them to a webhook or manipulate the DOM.

It's difficult as these can be valid tasks, they can also be quite malicious.