Codex Review
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent code-review orchestrator, but users should notice that optional external-model review can send reviewed code to a configured API and that L2/L3 depend on another skill.
This looks reasonable for an instruction-only code-review skill. Before installing, decide whether you are comfortable sharing reviewed code with the configured external model, review the companion bug-audit skill if you plan to use L2/L3, and clean up the temporary hotspot file if it contains sensitive project findings.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Reviewed source code may be gathered from local or remote project sources and, if configured, sent to an external review endpoint.
The skill gives the agent broad ways to collect code and optionally send it to an external model, which is expected for code review but should remain user-directed.
Gather code — local `read`, `git clone <url>`, server scp, user-pasted snippet, or PR diff ... Round 1 — send to external model API for automated scan
Use this only on repositories you intend to review, and confirm whether the optional external model should be used for private or proprietary code.
If you configure an API key, the agent can spend quota and submit selected code content to that provider.
The skill can use an external model API key. This is purpose-aligned and disclosed, but it is still delegated access to a third-party service.
Set env vars: `CODEX_REVIEW_API_BASE` ... `CODEX_REVIEW_API_KEY`, `CODEX_REVIEW_MODEL` ... Credentials via environment variables only
Use a scoped key where possible, monitor usage, and avoid enabling it for code that cannot be shared with the configured provider.
Installing or invoking L2/L3 may bring in behavior from another skill beyond this review package.
The deeper review modes depend on a separate companion skill that is not included in the provided artifacts.
clawhub install bug-audit # Required for L2/L3
Review the bug-audit skill separately before relying on L2 or L3 workflows.
Project file names and issue summaries may remain in a temporary local file and be reused by later review steps.
The skill stores review findings in a local handoff file for later audit stages, creating persistent context that can influence subsequent review.
After L1, write issue summary to `${TMPDIR:-/tmp}/codex-review-hotspots.json`Delete the hotspot file if it is no longer needed, and verify the handoff contents before using them for deeper audits.
A user could overlook that enabling the external API changes the data-sharing behavior.
The privacy language says code is not uploaded by default, while also disclosing that code snippets are sent when the optional external API is enabled.
It does NOT modify, delete, or upload your code anywhere ... Code snippets sent to the external API are limited to the files being reviewed
Interpret the no-upload claim as applying only when the external model is not configured, and explicitly decide whether API-based review is acceptable.