ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Codex CLI Guardian

v1.0.0

Codex CLI 会话守护者。管理 API Key、任务执行与结果摘要。提供后台模式运行、API Key 验证、会话锁定与PID追踪等功能。

0· 57·0 current·0 all-time
by林捷@alukardo
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The declared metadata lists no required env vars or binaries, but the skill clearly needs an API key (OPENAI_API_KEY_0011AI stored in credentials.env) and depends on local binaries: codex, script (pty wrapper), python3, git. Those are required for its stated purpose (driving Codex in background) — so the capability is plausible — but the registry declaration omits those necessary pieces, which is an incoherence the user should know about.
!
Instruction Scope
Runtime instructions and scripts do more than just call a remote API: they read/write files under the skill directory (credentials.env, state/current-task.json, state/tasks/*.json, codex.lock), create a temporary Git repo and a /tmp workspace, launch background codex exec sessions (with --full-auto and workspace-write), and can spawn long-running processes. They also read an environment variable fallback. The scripts rely on local filesystem state (and produce task summaries that include absolute paths). While this is consistent with a session manager, it does direct the agent to create files, run external binaries, and persist a secret locally — actions that expand the agent's reach and should be explicit in metadata.
Install Mechanism
No install spec (instruction-only) — which reduces installer risk because nothing is downloaded at install time. However the packaged skill includes executable scripts that will be run at runtime. Because no external downloads/install steps are declared, users must ensure the required host binaries (codex, script, python3, git) are present and understood.
!
Credentials
Although the registry lists no required env vars/primary credential, the code expects and stores OPENAI_API_KEY_0011AI in credentials.env. The skill also accepts the key from an environment variable fallback. Requesting and persisting a single service API key is reasonable for the stated purpose, but the omission from metadata is a mismatch. Additionally, Codex runs with --full-auto and workspace-write, which effectively gives the invoked Codex session broad file-system write capability (not just the API key) — this increases the blast radius of the stored key and of any agent-driven actions.
Persistence & Privilege
always:false (no forced inclusion) and autonomous invocation is allowed by default. The skill persists data (credentials.env, state files, lock file) and launches background child processes; this is coherent with a session manager. No evidence the skill modifies other skills' configs or requests system-wide persistent privileges beyond writing under its own skill directory and /tmp. Still, background execution + stored API key + broad Codex execution flags increases potential risk if the skill is misused.
What to consider before installing
Key points to consider before installing: - The skill will ask you to provide an API key (OPENAI_API_KEY_0011AI) and will store it in skills/codex-cli-guardian/credentials.env (permissions 600). The registry metadata does NOT declare this credential — treat that omission as a red flag and verify you are comfortable storing the key there. - The package expects local binaries that are not declared: the 'codex' CLI, the 'script' PTY wrapper, python3, and git. Confirm you know what those binaries are, that they are the authentic tools you expect, and that calling them is acceptable in your environment. - The skill runs Codex with --full-auto and workspace-write (and uses a PTY wrapper). That means the invoked Codex session can perform arbitrary file writes within the workspace and run commands — review whether you want an automated component that can make changes without interactive approvals. - The scripts create and persist state and summary files (which may include absolute paths from your environment). If exposing file paths or generated summaries is a concern, inspect/relocate the state directory before use. - Although codex-call.sh uses Python shlex.quote() to reduce injection risk, any component that shells out with user-supplied task text still requires careful review. Inspect the scripts yourself (bin/codex-call.sh, bin/session.sh, scripts/init-setup.sh) and test in a safe sandbox before granting access to sensitive keys or production data. - Practical steps: (1) run scripts/init-setup.sh check to see current state, (2) inspect the credentials.env path and consider using a transient test key, (3) ensure the codex binary is the real official client, (4) run the skill in an isolated environment (container or dedicated user account) first, and (5) rotate the API key after testing if you used a real key. If you want, I can produce a concise checklist of commands to inspect and sandbox this skill before enabling it in your agent.

Like a lobster shell, security has layers — review code before you run it.

latestvk970b5g5pvwaj6mng4qza61k8584an5z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments