Codex Bridge
WarnAudited by ClawScan on May 10, 2026.
Overview
Codex Bridge mostly matches its stated purpose, but it can launch Codex in background full-auto mode against arbitrary work directories and has weak task path containment, so it deserves careful review.
Use this skill only if you are comfortable letting OpenClaw start a background Codex coding agent that can run commands and edit files in the chosen project directory. Prefer version-controlled workdirs, review/approve dispatches, use safe simple task IDs, avoid secrets in prompts, and periodically clean up ~/.codex-bridge task logs.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A dispatched task can let Codex run commands and edit files in the selected directory in the background; a mistaken or prompt-injected task could change more than the user expected.
The bridge invokes Codex in fully automatic mode in a caller-supplied working directory and disables the git repository check, broadening command/file mutation authority without per-action approval.
"exec", "--json", "--color", "never", "--full-auto", "--skip-git-repo-check", "-C", workdir, prompt
Require explicit user confirmation before dispatching full-auto tasks, avoid --full-auto and --skip-git-repo-check by default, restrict workdirs to intended projects, and recommend version control or backups before use.
A crafted task ID could cause bridge directories, logs, or state files to be created outside the intended task folder within the user's filesystem.
The task ID is accepted directly and concatenated into filesystem paths without rejecting slashes or '..', so crafted task IDs can escape the intended ~/.codex-bridge/tasks namespace.
-t|--task-id) TASK_ID="$2"; shift 2 ;; ... mkdir -p "$TASKS_DIR/$TASK_ID"
Validate task IDs with a safe pattern such as letters, numbers, dots, underscores, and hyphens only; reject path separators and dot-dot segments; and canonicalize paths to ensure they remain under TASKS_DIR.
Codex work may continue after the initial OpenClaw interaction until the task completes, errors, waits for input, or is manually killed.
The bridge intentionally starts a background process that continues after dispatch; this is central to the skill and documented, but users should recognize it as persistent autonomous activity.
nohup python3 "$SKILL_DIR/bridge.py" ... >> "$TASKS_DIR/$TASK_ID/bridge.launch.log" 2>&1 &
Show users the task ID and PID, provide clear stop/cleanup instructions, and avoid starting background Codex tasks unless the user expects them.
Private project details or prompt contents may remain on disk under the bridge task directory after the task finishes.
The bridge writes commands, Codex events, and assistant output to persistent local files, which may include prompts, code, answers, or other sensitive task context.
append_text(self.bridge_log, f"\n[{now_iso()}] RUN {' '.join(cmd)}\n") ... append_text(self.events_file, json.dumps(event) + "\n") ... append_text(self.output_file, merged + "\n")Avoid putting secrets in prompts, document retention and cleanup, consider redacting sensitive prompt text from logs, and ensure the task directory has appropriate local permissions.
Tasks run under the user's local OS account and configured Codex/OpenAI CLI authority.
The skill does not collect credentials directly, but it uses whatever account, session, and local authority the installed Codex CLI already has.
Uses the local `codex` CLI (`codex exec` and `codex exec resume`).
Verify the configured Codex account and its permissions before use, and do not dispatch projects or prompts that should not be processed by that Codex CLI setup.